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Preface 


We first signed the book contract with Wiley in early 2006. Three years after signing this 
book contract, we only completed one third of the contents for the whole originally planned 
book, because of underestimating the challenges on writing such a specialized book. When 
the first author, Yi Qian, joined the faculty of the Department of Electrical and Computer 
Engineering at University of Nebraska-Lincoln in August 2009, he created a new course on 
wireless network security for the department. He has been teaching the wireless network 
security course in the same department every year in the spring semester since then. When 
preparing the course materials for wireless network security each year, we feel more and 
more strongly to have such a comprehensive textbook on wireless network security. In 2015, 
we signed the revised contract with Wiley and jointly with IEEE Press, and Feng Ye was 
added as a new co-author when he just received his Ph.D. degree in the Department of 
Electrical and Computer Engineering at University of Nebraska-Lincoln. We have been 
improving the contents of the wireless network security course every year, and gradually 
finished more chapters of the book. Fifteen years after first signing the contract and 12 years 
after teaching the same course, with over several thousands of hours joint efforts from all the 
three co-authors, we are very pleased that we have completed the first edition of “Security 
in Wireless Communication Networks” and published by Wiley/IEEE Press in 2021. 

This book intends to be a self-contained and one semester textbook for both undergrad- 
uate senior level and graduate level courses. There are five parts with 15 chapters in the 
book. Part I, Introduction and Mathematics Background, includes the first three chapters on 
general introduction on computer communication networks and wireless networks, basic 
concepts on network security, and a brief review of the mathematical background that is 
needed to understand the rest of the chapters. Part II, Cryptographic Systems, includes the 
next three chapters on cryptographic techniques for both symmetric and public key crypto 
systems, as well as message authentication, digital signature, and key management. Part 
III, Security for Wireless Local Area Networks, includes four chapters on Wi-Fi security, 
Bluetooth security, Zigbee security, and RFID security. Part IV, Security for Wireless Wide 
Area Networks, includes three chapters on GSM security, UMTS security, and LTE security. 
Part V, Security for Next Generation Wireless Networks, includes two chapters on 5G wire- 
less network security, and vehicular communication network security. In the following is a 
brief introduction for each of the fifteen chapters. 
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Preface 


Chapter 1 delivers the general concept of computer networks, highlights the role of wire- 
less communications in the whole picture of networking architecture, and classifies the 
wireless systems based on coverage, topology, and mobility. This chapter serves as a pre- 
cursor to the rest of the book by providing the background of different types of wireless 
networks, including wireless personal area networks (WPAN), wireless local area networks 
(WLAN), and wireless wide area networks (WWAN). It also explains the security threats in 
wireless networks and discusses the relationship between network security and wireless 
security. 

Chapter 2 gives an overview on the security concepts used in the rest of this book, 
including security attacks, security services, and security mechanisms. It first presents 
the classification of security attacks in terms of passive attacks (e.g. eavesdropping and 
traffic analysis) and active attacks (e.g. masquerade, replay, modification, and denial of 
service). It then introduces security services, or the features in system design against 
possible security attacks, such as confidentiality, integrity, availability, access control, 
authentication, and non-repudiation. Finally, to provide security service in a system, a 
list of popular security mechanisms, such as the encipherment, digital signature, etc., is 
discussed in the remaining part of the chapter. 

Chapter 3 goes into the mathematical background related to wireless security, includ- 
ing number theory and modern algebra, modular arithmetic and divisors, finite fields, 
polynomial arithmetic, Fermat’s little theorem, Euler’s totient function, Euler’s theory, etc. 
The aforementioned knowledge is critical for the ones to understand cryptography, such 
as advanced encryption standards and public-key cryptographic systems. In addition, the 
fundamental principles and exemplary cases are concisely presented from the perspective 
of mathematics. 

After the mathematical background, Chapters 4 and 5 deal with cryptographic tech- 
niques. Chapter 4 first introduces several symmetric key cryptographic techniques by 
illustrating a few classical cryptographic algorithms with substitution and transposition 
techniques. It then presents the basic concept of modern stream/block cipher as well as 
Feistel cipher structure. Chapter 5 explains more cryptographic techniques using block 
ciphers and public key algorithms, including advanced encryption standard, block cipher 
mode of operations, public key infrastructure, RSA algorithm, etc. 

Chapter 6 introduces message authentication and digital signature to protect the integrity 
of a message and the identity of a sender and a receiver, respectively. First, this chapter 
discusses MAC and hash functions thoroughly, both widely used to provide message 
authentication. Then, it goes into the characteristics of digital signature and a series of 
digital signature standards such as DSA, RSA, and ECDSA. These can protect the sender 
and receiver against each other. Within the aforementioned mechanisms, key management 
and distribution play a critical role. The rest of the chapter gives a general idea and some 
examples of key management schemes. Both symmetric and asymmetric key distributions 
have been illustrated. The key distribution mechanisms adopt symmetric and public 
key mechanisms for different purposes. Besides, practical communication systems with 
massive users need hierarchical key distribution mechanisms. Readers are expected to 
understand the basic concepts of the cryptographic techniques illustrated in Chapter 5 and 
Chapter 6. These algorithms will be seen in the wireless systems introduced in the later 
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chapters. The background of the advanced mathematical contents, such as elliptic curve 
Diffie-Hellman key exchange and elliptic curve digital signature, etc., may be skipped. 

The remaining chapters from 7 to 15 focus on the security of specific wireless com- 
munication systems, covering different scales of networks and different technologies 
including WLAN, Bluetooth, ZigBee, RFID, GSM, UMTS, LTE, and 5G. As the emerging 
vehicle-to-everything (V2X) communications are receiving great attention, the fifteenth 
chapter especially discusses the security of V2X communications. 

Chapter 7 discusses the security of Wireless Local Area Networks (WLAN) or inter- 
changeably Wi-Fi nowadays. It starts with an introduction of WLAN in terms of operating 
modes and security challenges. WLAN is more vulnerable to attacks than wired connec- 
tions due to the lack of physical connections. It illustrates a few generations of WLAN 
security protocols, which evolved from the original Wired Equivalent Privacy defined by 
the IEEE 802.11, Wi-Fi Protected Access (WPA), WPA2, to the recent WPA3 to improve 
the security. It also analyzes the implementation details of these security protocols. 

Chapter 8 deals with Bluetooth security. Bluetooth is an open standard designed for 
wireless personal area networks (WPAN). Bluetooth technology enables many wireless 
devices, such as smartwatches, wireless headphones, wireless keyboards, etc. Bluetooth 
standard specifies authentication, authorization, and confidentiality for securing data 
transmission. In this chapter, it analyzes the security mode, trust level, and service level 
configurations that enable flexibility of Bluetooth security policies and highlight that 
Bluetooth specifications do not ensure secure connections from all adversary penetrations. 
If using Bluetooth technology in an organization, it is important to develop security 
policies to address the use of Bluetooth-enabled devices and the responsibilities of users. 

Chapter 9 discusses the security of Zigbee. It first gives an overview of Zigbee standards 
related to different network layers, and then mainly analyzes the key cryptographic mech- 
anisms. As Zigbee adopts symmetric-key cryptographic mechanisms, it especially empha- 
sizes that the secure storage and distribution of keys is the premise of ensuring the security 
of Zigbee. In practice, the security provided by Zigbee standards is not enough. For example, 
if a Zigbee device joins a network, intruders can intercept unprotected keys. Moreover, an 
attacker may easily get physical access to a Zigbee device and extract privileged informa- 
tion due to the low-cost nature. The security must be carefully considered to provide those 
applications. 

Chapter 10 deals with the security of RFID. It first gives an overview of RFID subsystems, 
different types of RFID tags, and the frequency bands. It then analyzes the security attacks, 
risks, and security objectives of RFID systems. RFID systems are vulnerable to some attacks 
(e.g. counterfeit tag, eavesdropping, and electronic collisions) and privacy risks (e.g. disclo- 
sure of location information of users). The security objectives of the RFID system include 
confidentiality, integrity, non-repudiation, and availability. Due to the low cost and physical 
constraints of RFID tags, mitigation mechanisms to security risks are limited. The chapter 
then elaborates on the lightweight cryptographic algorithms, anti-collision algorithms, and 
physical protection available for RFID. It is imperative to provide security services to RFID 
systems. 

Chapter 11 deals with the security of Global System for Mobile (GSM) Communications. 
Since the early 1990s, as the most widely used cellular mobile phone system in the world, 
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GSM can provide services like voice communications, short messaging, etc. This chapter 
starts with the GSM system architecture and then discusses the network access security 
features and algorithms. Despite the popularity, the GSM system is exposed to quite a few 
threats. In the chapter, it mainly discusses the attacks caused by the vulnerability of security 
algorithms, as well as some possible security improvements. Unfortunately, GSM made very 
few improvements on these aspects before phasing out recently. 

Chapter 12 introduces the security of Universal Mobile Telecommunications System 
(UMTS). UMTS is a successor of GSM with better security. Several security mechanisms 
are reused but with modifications. After introducing UMTS architecture, the chapter 
discusses the security mechanisms of UMTS, like the authentication and key agreement, 
data confidentiality and integrity, user identity confidentiality. Compared with the 
GSM, UMTS adds integrity protection. Algorithms f8 and f9 ensure confidentiality and 
integrity, respectively. Both algorithms are based on block cipher KASUMI. Readers 
may be interested in some additional security features of UMTS, such as mobile device 
identification, location services, and user-to-USIM authentication, which are discussed at 
the end of the chapter. 

Chapter 13 illustrates Long-Term Evolution (LTE) security. It starts with the introduction 
of the LTE system architecture which is based on GSM and UMTS. A key difference with its 
predecessors is that LTE separates the control plane and user plane, differing LTE security 
from GSM and UMTS. It then depicts LTE security in terms of security architecture, security 
mechanisms, and algorithms. LTE covers more keys and security algorithms, such as AES 
and ZUC, to ensure the security of complex systems. It also highlights the LTE security 
for interworking with legacy systems as well as non-3GPP access. LTE has strong security 
implemented comparing with the previous generation system. LTE will continue to serve 
as an important part of the next-generation wireless system. 

Chapter 14 discusses the security of 5th generation (5G) wireless network systems. 5G 
started large-scale commercial deployment around 2020 and is the next-generation mobile 
wireless telecommunications beyond 4G/International Mobile Telecommunications 
(IMT)-Advanced Systems. This chapter illustrates some current development, challenges, 
and future directions of 5G wireless network security. It especially analyzes several new 
security requirements and challenges introduced by the advanced features of the 5G wire- 
less network systems. Due to the ongoing development of 5G, the chapter only discusses 
some present solutions and research results concerning the security of 5G wireless network 
systems. Quite a few challenges in 5G wireless network security, including new trust mod- 
els, new security attack models, privacy protection, etc., call for continuous development 
of 5G security. It briefly analyzes these challenges in the final part of the chapter. 

In recent years, as a key component of Intelligent Transportation Systems, vehicle-to- 
everything (V2X) communications have received great attention. The rapid development 
of wireless technologies (e.g. DSRC, LTE, and 5G) enables V2X communications in 
different applications. To integrate the variety of wireless technologies and meet special 
requirements for V2X communications, security and privacy have become a top priority. 
Therefore, the last chapter of the book sets off to discuss the security of V2X communica- 
tions. Standards such as IEEE WAVE and LTE-V2xX set a general guideline for V2X security 
implementations. New cryptography schemes, such as group signature and trust-based 
schemes, are under development. This chapter covers all these topics. As an emerging 
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type of wireless communication scenario, quite a few unsolved security challenges exist 
in V2X communications. It discusses several key challenges, including efficient schemes, 
hardware enhancement, and integration of AI algorithms, etc., at the end of the chapter. 

Our teaching philosophy is letting the students learn the basic building blocks that are 
necessary to design a secure wireless system and learn the security designs of different 
wireless communication networks from the history to the next generation, also different 
scales from personal area, local area, to wide area wireless networks, so that the students 
will be able to handle the new designs of future secure wireless systems. 
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Introduction 


A wireless communication network is a computer network that uses a wireless connection 
between network nodes. Wireless networking is a method to connect telecommunications 
networks, and business installations or to connect between various equipment locations, 
to avoid the costly process of introducing cables. Examples of wireless communication 
networks include cellular networks, wireless local area networks (WLANs), wireless 
ad-hoc networks, wireless sensor networks, vehicular communication networks, and 
satellite communication networks. Wireless communication networks are becoming 
ubiquitous with the increasing of mobile Internet applications, advances of technological 
development in radio communications and communication infrastructure backbones, 
as well as mobile wireless devices and consumer electronics [1]. Over the last three 
decades, we have witnessed several critical moments for the evolution of next generation 
wireless communication networks. During the 1990s, we witnessed the popularity of 
personal computers and Internet access for common households as well as the accessible 
of 2G cellular wireless communications. During the 2000s, we witnessed the tremendous 
increasing e-commerce on the Internet and the deployment of 3G cellular wireless commu- 
nications, as well as WLANs for mobile Internet. Since 2010, we have witnessed increasing 
bandwidth and quality-of-service for 4G cellular wireless communications with more and 
more applications on the mobile Internet. The wireless communication technology is 
continuing to be advanced to the next generation with high capacity, low latency, and low 
energy consumption, for better implementation of Internet of things and many other new 
service capabilities. From the beginning, security for wireless communication networks 
has always been a critical issue. In this chapter, a brief introduction will be given on wireless 
communication networks and basic concepts on wireless communication network security. 


1.1 General Computer Communication Network Architecture 


1.1.1 Wired Communication Network Infrastructure 


Computer communication networks interconnect a collection of network nodes including 
computer and communication devices, routers, gateways, and switches [2]. The Inter- 
net can be considered as the largest computer network that interconnects billions of 
autonomous nodes around the globe. Obviously, standalone computer is not the only type 
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Figure 1.1 Traditional wired networks. 


of device that has network access. Smart phones, tablets, smart sensors, vehicles, and many 
other devices are also connected to computer networks. With the network, data collection 
and data exchange can be enabled to support further control required by some services. 
Computer networks have been developed and deployed for many years. In general, 
computer networks are comprised of wired networks and wireless networks. Although 
wireless networks are more accessible to regular users in today’s communications, the 
backbone infrastructures still rely significantly on wired networks. Figure 1.1 shows a 
generic framework of traditional wired networks. User equipment in wired networks is 
referred to as fixed communication terminals due to limited mobility. In the early days, user 
equipment such as land-line telephones and desktop computers are directly connected 
to a network switch or a network router through physical network cables. In modern 
data centers and cloud computing centers, the servers are also hard wired to switches or 
routers. The core network consists of many switches and routers that are interconnected 
with physical medium, such as copper wire, Ethernet cable, fiber optics, etc. 


1.1.2 Wireless Communication Network Infrastructure 


Computer and communication nodes access a wireless communication network 
through wireless links. However, despite the name, most wireless communication 
systems only deploy wireless components at the edge of the communication infras- 
tructure, as shown in Figure 1.2. The core network in a general wireless communication 
infrastructure is a wired network. For example, in a cellular network, its core infrastructure 
is connected by fiber optic cables and Ethernet. Users are aware of the wireless access 
only from their user equipment, such as smart phones, tablets, laptops, etc. The wireless 
access is provided with extra components and resources to the core network infrastructure. 
The extra components and resources include: 


e Wireless transceivers: base stations, access point (AP), mobile stations (MSs), etc. 
e Management entities: mobility management, power management, radio resource man- 
agement, security management, etc. 
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Figure 1.2 Positioning of wireless networks. 


e Spectrum: radio frequency bands for data transmission and possible air interface. 
e Deployment: spectrum reuse in communications, wireless network design, etc. 


One advantage of wireless communication networks is flexible access from user equip- 
ment. Network access can be provided to any user who is within the radio coverage. 
Therefore, wireless access is more flexible and more convenient compared with wired 
access. Wireless users would not be restricted by the limited number of Ethernet ports or 
not long enough cables. The deployment cost of wireless communications is also less than 
that of wired communications in most cases. For example, a home Wi-Fi network can be 
established with a single Wi-Fi router, while a traditional Ethernet based home network 
would require a bulk of Ethernet cables. 


1.2 Different Types of Wireless Communication Systems 


1.2.1 Classification of Wireless Communication Systems 


Wireless communication systems can be classified in several ways, based on coverage, 
topology, or mobility, as illustrated in Figure 1.3. 


1.2.1.1 Based on Coverage 

Wireless communications systems are classified into wireless personal area networks 
(WPANSs), wireless local area networks (WLANs), and wireless wide area networks (WWANS). 
This classification depends on wireless technology limitations as well as its supporting 
applications. For example, while both Bluetooth and Wi-Fi can provide a radio coverage 
large enough for an office, only Wi-Fi is considered as a WLAN. Subtle differences exist due 
to other classification criteria as well. In some classification, wireless metropolitan area 
networks may be listed as one type of wireless communication system. Wide area networks 
in traditional wired computer networks are usually the backbone infrastructure. However, 
a wireless metropolitan area network has the largest coverage before it is connected to the 
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Figure 1.3 Classification of wireless communication systems. 


wide area network backbone. Thus, without loss of generality, both wireless metropolitan 
area networks and WWANSs will be considered the same (as WWANS) in this book. 


1.2.1.2 Based on Topology 

Wireless communication systems are classified into infrastructure based and ad-hoc based. 
An infrastructure based wireless communication system requires a fixed backbone com- 
munication infrastructure. For example, a cellular network has wireless access from user 
equipment, but it requires a fixed base station and a backbone network infrastructure. 
A home Wi-Fi has wireless access from user equipment, but it requires a fixed router that is 
hard-wired to an Internet service provider. An ad-hoc wireless communication system does 
not require a fixed infrastructure. For example, a wireless headphone may be connected 
to a smart phone using Bluetooth technology. In this communication system, data com- 
munication between the headphone and the smart phone is wireless based on Bluetooth 
technology, while a fixed infrastructure is not required for neither end. 


1.2.1.3 Based on Mobility 

Wireless communication systems are classified into fixed, stationary, portable, and mobile. 
A fixed wireless communication system indicates fixed deployment of equipment. For 
example, cellular base stations that are micro-wave based only. A stationary wireless 
communication system indicates a semi-fixed deployment of equipment. For example, a 
temporary relay vehicle for cellular systems. A portable wireless communication system 
indicates a more flexible deployment of equipment, with communications enabled when 
users are not moving fast. For example, users in a home Wi-Fi may have network service 
with their portable devices. A mobile wireless communication system requires support for 
services during high speed movement. For example, a general cellular network is a mobile 
system since services are provided to users, whether moving or not, as long as they are 
within the radio coverage. 


1.2 Different Types of Wireless Communication Systems 


1.2.2 Wireless Personal Area Networks 


A WPAN can be used for communications among the personal devices themselves. There- 
fore, a WPAN usually has an ad-hoc topology. As shown in Figure 1.4, master-slave mode 
and mesh mode are the two types of ad-hoc networks that can be applied for WPANs. 
A master-slave ad-hoc network consists of a master node and multiple slave nodes. The 
master node defines a cell or piconet. The slave nodes within the piconet connect to the mas- 
ter device. A WPAN based on Bluetooth typically applies master-slave mode. For example, 
if a wireless headphone is connected to a smart phone using Bluetooth, then the smart 
phone is the master node where the headphone is a slave node. The user may also connect 
a Bluetooth keyboard to the same smart phone as a slave node. Some WPANSs apply mesh 
mode, where nodes are interconnected with wireless links without forming a specific cell 
or piconet, for example, sensor networks, radio-frequency identification (RFID), vehicular 
ad-hoc networks, etc. 


1.2.3. Wireless Local Area Networks 


WLANS are infrastructure based wireless communication systems. They are normally built 
on top of a wired local area network (LAN). One of the typical WLAN settings is a home 
Wi-Fi, which forms one basic service set (BSS) that includes one AP and multiple user 
devices. The AP may have extra Ethernet ports to support wired access from servers, desk- 
tops, and other devices. As shown in Figure 1.5, a WLAN may have extended service set 
(ESS) that supports multiple BSSs, similar to a traditional Ethernet based LAN. All APs are 
interconnected, in most cases through wired connection. A user may be within the radio 
coverage of multiple APs, nonetheless, each user belongs to one BSS only at a time. That is 
to say, each user can have access to one AP only in an ESS. 


1.2.4 Wireless Wide Area Networks 


WWAN has the largest service coverage in all wireless communication systems. As shown 
in Figure 1.6, a general architecture of WWANSs has different components at the radio level, 
the network level, and the management level. 


Slave 
Master and slave ad-hoc mode Mesh mode 


Figure 1.4 Architecture of wireless personal area networks. 
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Figure 1.6 Architecture of wireless wide area networks. 


The radio level provides wireless access to user equipment, or mobile stations (MSs), 
which can be a mobile phone, a smart watch, a vehicle, etc. MSs access to WWAN through 
points of access in the infrastructure. Point of access is the physical radio transceiver. It cre- 
ates the air interface and communications with MSs. Points of access could be base stations, 
base transceiver subsystem, mobile data base station, AP, NodeB, eNodeB, etc., depending 
on the wireless technology it is deployed. 

The network level is the backbone infrastructure that connects all switches and routers 
in the network. A radio network controller (RNC) bridges the radio level and the network 
level. RNC provides spectrum and power management to base stations, as well as other 
issues in wireless access. A mobile switching center (MSC) in the network level is a mobile 
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data intermediate system that bridges the network level and the management level in cellu- 
lar communication systems. MSC manages mobility of devices and keeps track of the loca- 
tion of MSs. MSC also ensures security by using the authentication center and equipment 
register in the management level to prevent fraudulent devices from using the network. 

The management level performs administrative operations of network service 
providers, such as accounting and billing. In a cellular communication system, the man- 
agement level includes visitor location register, home location register, authentication 
center, operation and maintenance center, and equipment register. 


1.3. Network Security and Wireless Security 


1.3.1 Network Security 


Network security is subject to the context in which it is used. Network security is also 
dictated by the needs of individuals, customs and laws of a region, and policies of an 
organization. There are different kinds of security breaches. For example, an unauthorized 
person gets access to confidential records across a network. A malicious user picks up and 
modifies an authorization file over a network. Or a data file has been received however 
the sender denies having sent it. All of those examples are security attacks in different 
ways. In general, network security is defined as protection of networks and their services 
from unauthorized modification, destruction, or disclosure. Network security provides 
assurance that the network performs its critical functions correctly, with no harmful 
side-effects [3]. Network security focuses mainly on networks, network protocols, and 
network applications. It includes all network devices, all applications, an data utilizing a 
network. For example, routers, switches, smart phones, tablets, etc. 

Figure 1.7 illustrates the generic security terminology in a communication network 
system. As shown in the system, information is usually the target of security attacks. In 
order to protect the information, requirements and policies are first needed to be specified. 
Those are the overall and detailed plan for what the potential risks are, and what to protect. 
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Figure 1.7 Generic security terminology. 
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This is a statement of what is allowed and what is not. Security services required by a 
system could be developed based on specific requirements and policies. For example, 
security services are confidentiality, integrity, availability, etc. Many security mechanisms 
are developed to provide various security services. Carefully designed security mecha- 
nisms detect, prevent, or recover a communication network system from security attacks. 
In most cases, multiple security mechanisms must be deployed together to provide just one 
security service. There is no single security mechanism can provide all security services in 
a communication network system. All the requirements and policies, security services, and 
security mechanism, form a security architecture of a communication network system. 


1.3.2 Security Threats in Wireless Networks 


Some security threats are generic in computer networks, for example, hardware sabotage, 
data leakage, etc. However, wireless networks have unique issues because of the shared 
transmission medium. Therefore, it is easier for a malicious user to get attached to wireless 
networks. Even if an access to a wireless communication network system is not granted due 
to authentication and access control, malicious users may still monitor data traffic by eaves- 
dropping certain radio frequencies. A malicious user may also launch active attacks more 
easily to a wireless communication network system. For example, a malicious user could 
continuously send strong signals to jam a radio spectrum. Therefore, vulnerabilities and 
security problems in wireless communication networks are to be addressed from different 
aspects. 


e Wireless networks suffer from limited coverage and harshness of the radio channels in 
physical layer. Therefore transmission in wireless networks has relatively high error rates 
with little to none guarantee of channel quality. Because of that, it is hard to tell denial of 
service (DoS) attack (an attack to make network resource unavailable to intended users) 
from channel degradation. 

e Wireless networks require decentralized medium access mechanism in medium access 
control (MAC) layer because of open “broadcast” medium. Fundamental types of 
medium access mechanisms include frequency division multiple access (FDMA), time 
division multiple access (TDMA), code division multiple access (CDMA), space division 
multiple access (SDMA), etc. Besides access control, several other aspects, such as 
throughput, delay, and quality of service (QoS), also need to be addressed in MAC layer. 

e Wireless networks need to deal with mobility of users. On one hand, mobility is a revo- 
lutionary advantage of wireless networks. MSs in wireless networks are not restrained 
to certain deployments; they are free to move within the coverage of the networks. 
On the other hand, mobility introduces management problems for wireless networks. 
For example, location tracking and handoff management as MSs move. When the scale 
of wireless network is large, more issues come to database management. 

e Wireless networks need to manage transmission power and radio resources. Generally 
speaking, raising transmission power level can increase transmission quality for one link. 
However, interference to other users will be increased thus reducing the transmission 
quality of other users. Coverage of a wireless network is limited, and it is common that 
a MS roams from one base station to another one. The process of a MS moving from one 
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base station to another base station is called handoff. Bear in mind that wireless signals 
do not have clear boundaries; therefore handoff decision must be carefully made. If a MS 
moves frequently around the overlap region of two base stations, insufficient handoffs 
will interrupt transmission, while unnecessary handoffs can increase load to the system. 
Wireless networks are versatile. There is no single type of wireless access available 
everywhere. Cellular service providers adopt different kinds of wireless technologies. 
Therefore, very few cell phones can roam across the globe successfully. Even Wi-Fi has 
different specifications in each AP. For this reason, network design and deployment are 
to be carefully planned in wireless networks. Besides, spectrum resource is also scarce, 
therefore coexistence of users and interference among users must be carefully addressed. 
Security concerns in network operations and management need to be addressed in wire- 
less networks. On one hand, network operators need to enable resources and services 
to MSs safely and privately. On the other hand, network operators also need to authen- 
ticate legitimate MSs, especially the roaming ones. Correct accounting and billing for 
subscribers are based on secure network operations and management. 

Service discovery and data management are problems to be addressed in some wire- 
less networks, e.g. sensor networks and RFIDs. For example, how is data maintained? 
How to ensure integrity and confidentiality of data? Moreover, a mobile device needs 
to be lightweight with reasonably long battery life. Therefore, energy efficient designs 
of software and protocols are unique for wireless networks. While many of these secu- 
rity problems have been studied in wired networks, the solutions proposed there are in 
general too computationally demanding to work for wireless networks, because mobile 
devices have limited computational resources and power supply. Communications must 
also be minimized due to scarce spectrum resource. 


1.4 Summary 


This chapter gives an introduction on general communication network architectures and 
wireless communication architectures, as well as security threats in wireless communica- 
tions networks. The same security objectives that exist in wireline communication networks 
are also needed for wireless networks. They must be addressed in the context of wireless 
specific characteristics such as physical layer issues, MAC layer issues, mobility manage- 
ment, radio resource and power management, wireless network design and deployment, 
wireless network operations and management, wireless application issues, etc. The next 
chapter provides more security concepts that will be mostly concerned in wireless commu- 
nication networks. It is recommended to read more on the topics of wireless communication 
networks for better understanding of security in wireless networks [4-6]. 


11 


2 
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Most of the readers are using wireless networks to access communication infrastructure or 
Internet for work and daily life. Whether you are using the mobile phone or wireless devices 
through cellular networks, Wi-Fi, or Bluetooth technology, you should have concerns with 
these networks, and want to make sure that the wireless networks are secure. As discussed 
in the last chapter, a security architecture consists of requirements and policies, security 
services, and security mechanisms. In this chapter, we further introduce the concepts that 
will be used in the rest of this book in the design and operation of a secure communica- 
tion network in general, and a secure wireless network in specific. These concepts include 
security attacks, security services, and security mechanisms. 


2.1 Security Attacks 


Security attacks in communication networks are formally classified as passive attacks 
and active attacks in X.800 Recommendation [7] by the International Telecommunication 
Union, Telecommunication Standardization Sector (ITU-T) and RFC 2828 [8] by the 
Internet Engineering Task Force (IETF). A high-level description of security attacks is 
shown in Figure 2.1. Passive attacks do not interfere with a legitimate system directly, 
leaving users unaware of the attacks. Active attacks intrude a legitimate system by altering 
original resources, thus causing damages to the system. Both passive and active attacks 
compromise a legitimate system. 


2.1.1 Passive Attacks 


Passive attacks include eavesdropping and traffic analysis, which do not interfere with the 
legitimate system immediately from current operation point of view. 


2.1.1.1 Eavesdropping 

Figure 2.2 shows an example with two authorized users and one eavesdropper. The eaves- 
dropper is located somewhere within the transmission range, thus the attacker is able to 
monitor data transmission and gather unprotected information. The first generation mobile 
communication system encountered this issue due to its unencrypted analog signal. At that 
time, anyone can monitor a conversation with necessary equipment. Fortunately, mobile 
transmissions are encrypted since the second generation mobile communication system; 
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Security attacks 
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Figure 2.1 Security attacks. 
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therefore the contents of a conversation are free from disclosure to an eavesdropper. Still, 
much information can be captured by eavesdropping in wireless systems. For example, in 
a Wi-Fi system, service set identifier (SSID), device MAC address, and some other informa- 
tion are broadcast in clear text. As a security protection, some Wi-Fi users apply white-list to 
filter unauthorized MAC addresses. However, eavesdroppers can capture MAC addresses by 
monitoring the traffic with software tools and then update their MAC addresses accordingly 
to bypass the filter. 


2.1.1.2 Traffic Analysis 
An attacker doing traffic analysis is essentially an eavesdropper but with other pur- 
poses than simply monitoring data traffic contents, as shown in Figure 2.3. With data 
transmission being encrypted, basic eavesdropping is not very useful in getting informa- 
tion. However, the pattern of transmission can be useful for an attacker. For example, an 
attacker might be able to locate the legitimate transmitter by measuring signal strength 
at different locations. Frequency and length of messages might also be revealed to the 
attacker by tracking the pattern of transmission. 

Passive attacks are difficult to detect since there is no data alternation or system manip- 
ulation. The system functions as if no security issue to authorized users. Wireless systems 


Capturing transmission patterns Figure 2.3 Traffic analysis in wireless 
e E.g. signal strength, networks. 
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usually implement prevention mechanisms rather than detection ones by assuming the 
existence of passive attacks. For example, encrypting data traffic, sending dumb traffic 
between real data transmissions, etc. 


2.1.2 Active Attacks 


Active attacks have direct impact on a legitimate system. There can be modification of the 
original data stream, injecting false data stream, draining system resources, and several 
other types of attacks. Generally speaking, active attacks fall into four categories, masquer- 
ade, replay, modification, and denial of service (DoS). 

Masquerade: An attacker pretends to be some other entity, usually an authorized user. 
As illustrated in Figure 2.4, the attacker attempts to establish a connection with user B and 
pretends to be user A. 

Replay: An attacker first captures a message, whether encrypted or not, then replays this 
message to its designated receiver. As illustrated in Figure 2.5, the attacker first captures 
the message sent from user A to user B. Later, the attacker replays the message to user B. 
Capturing the original message in the first step usually involves passive attacks such as 
eavesdropping. 

Modification: An attacker first intercepts and modifies the original message, then 
forwards the modified message to the legitimate receiver. As illustrated in Figure 2.6, 
the attacker first intercepts the message sent from user A to user B. Before user B receives 
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Figure 2.5 An example of replay attack. 
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L Figure 2.7. An example of DoS. 
[| Attacker (DoS) 


User 


Network 
services 


the original message, the attacker modifies the message and forwards it to user B. Ideally, 
the attacker should also block user B from receiving the original message from user A, 
otherwise user B would usually discard the modified message sent from the attacker. 

Denial of service: A DoS attack makes system resource unavailable to authorized users. 
As illustrated in Figure 2.7, a user cannot establish a radio connection for network services 
because a DoS attack has been lunched. A typical example of DoS attack in the early days of 
mobile phone system is flooding a legitimate user with constant calls and/or text messages 
so that the user cannot establish connections with other intended users. Spam text messages 
still exist in today’s mobile phone systems, where a user’s device may be paralyzed by tens 
of thousands of text messages incoming constantly. 


Discussion: /s hacking a Wi-Fi password a passive attack or an active attack? (The attack 
stops once the password is retrieved.) 

Technically, hacking a Wi-Fi password does not trigger an alarm to the system 
since the process can be done without interrupting the user or the system. However, 
eavesdropping or traffic analysis alone is not effective to retrieve the password. 
The attacker must try some possible passwords with the system. In fact, the attacker 
is masquerading an authorized user during the process of connection establishment. 
Moreover, if the attacker launches exhaustive search by trying all possible passwords 
in high frequency, then the system (i.e. the access point in a Wi-Fi network) resource 
may be mostly occupied by the attacker, thus causing a DoS attack to intended users. 
Of course many more attacks, both passive and active, can be launched once the 
password is revealed to the attacker. 


Until now, readers should realize that security attacks are more than hacking some pass- 
words. Many security attacks can be launched without hacking users’ passwords. Some 
security services do not require passwords at all, for example, data integrity. 


2.2 Security Services 


Security services are the features in a system design against possible security attacks. A wire- 
less system designer and/or provider must evaluate security targets of users and forthcom- 
ing threats of a particular system. Corresponding security services are then chosen and 
implemented. The National Institute of Standards and Technology (NIST) computer secu- 
rity handbook [9] introduces three key security services not only to wireless security, but 
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also to general computer security: confidentiality, integrity, and availability. In addition, 
typical security services also include access control, authentication, and non-repudiation. 


2.2.1 Access Control 


This service controls access from authorized users to resources in the system. There may 
be varying levels of access and control, i.e. an authorized user may not have access to all 
resources in the system. As illustrated in Figure 2.8, user A has access to some resources 
in the system where user B to some other resources. For example, in a home Wi-Fi setting, 
the owner may have access to all system resources (e.g. full bandwidth, in-home network 
attached storage, etc.), whereas a guest only has access to limited resources (e.g. restricted 
bandwidth, amount of data, etc.). 


2.2.2 Authentication 


Authentication is a service that verifies the identities of entities in a system. The entities 
include users connected to the host system and the host system itself. As illustrated in 
Figure 2.9, user A and user B are two entities connected to the host system. Authentication 
can be provided between user A and the host system, between user B and the host sys- 
tem, as well as between user A and user B. This example illustrates the concept of mutual 
authentication. In some cases, only one-way authentication is provided. For example, in 
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Wi-Fi WEP, only mobile stations are authenticated to the access point. Authentication is 
mostly provided during the initiation of a connection. It can also be provided during ongo- 
ing interactions. Attacks to authentication are usually active, for example, the attacks can 
be fabrication, masquerade, replay, session hijacking, etc. 

Identification is provided in some systems separately as entity authentication. It is the 
procedure to verify the identity of an entity in a protocol through corroborative evidence. 
Identification is usually in real-time and associated with access control. Identification must 
guarantee that honest entities can achieve authentication, where an attacker cannot imper- 
sonate a legitimate entity with the observed identification exchanges. 


2.2.3. Confidentiality 


Confidentiality ensures that information is accessible only to authorized entities. Confi- 
dentiality is provided by encryption in many wireless systems. As illustrated in Figure 2.10, 
data from user A to the host system is first encrypted, then being sent through the net- 
work. At the receiver side, the host system needs to decrypt the incoming data. Similarly, 
confidentiality can be applied to data transmission between user A and user B. To achieve 
confidentiality, an agreement on the encryption mechanisms and some credentials must 
be made between the two entities before data transmission. Confidentiality can be broadly 
applied to all possible data in a system. Or, it can be applied to certain fields or parts of the 
data. For example, in a Wi-Fi network, confidentiality is provided to data traffic. Nonethe- 
less, some information exchanged during the initial authentication process is sent in clear 
text. Attacks to confidentiality are usually passive. For example, interception leads to release 
of contents, and interception leads to traffic analysis. 


2.2.4 Integrity 


Integrity is a security service also known as data integrity. It maintains the accuracy and 
completeness of data over its entire life cycle. This means that data cannot be modified, 
reordered, inserted, delayed, or changed in any other way by unauthorized entities. 
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Figure 2.10 Illustration of confidentiality. 
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Figure 2.11 Illustration of integrity. | 
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As shown in Figure 2.11, once a message is sent from user A in a transmission, integrity 
is provided if the receiver (i.e. user B) receives the intended message unchanged, on time, 
and only once. Attacks to integrity are active. For example, modification and alteration of 
the original message, and replay of a previous message, etc. 


2.2.5  Non-repudiation 


Non-repudiation provides proof of the data origin. In other words, non-repudiation guar- 
antees that the sender cannot deny a transmission or its contents. Figure 2.12 illustrates 
non-repudiation to prove data source from user A. Similarly, non-repudiation service can 
be applied to the receiver as well. Therefore, there is either source non-repudiation or des- 
tination non-repudiation. 

The two services integrity and non-repudiation, while having different security purposes, 
are often provided together, known as message authentication. For example, the proof given 
in Figure 2.12 can be used for both data integrity and source of sender simultaneously. 


2.2.6 Availability 


Availability is a service that makes information available to authorized parties when 
needed. In fact, it is an important aspect of reliability and system design rather than a 
typical security service. However, in addition to natural failures, deliberate attempts to 
deny access to data and service in information systems may compromise availability. The 
DoS attack is one example that may fail a system in terms of availability. 
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Figure 2.12 Illustration of source non-repudiation. 
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Discussion: What are the targets of hacking the password of a home Wi-Fi network? (To keep 
the problem simple, the attack stops once the password is retrieved.) 

To answer this question, readers need to identify security services required in 
the system. This particular system is protected by a password. A user who knows the 
password can access the system at any time. Unauthorized users cannot get access 
because the password is not known to them. If an attacker is able to hack the password, 
then the system will grant access to the attacker. 

First of all, confidentiality is provided to the Wi-Fi password. Although the con- 
fidentiality is not achieved by encryption, a user keeps it as a secret by not shar- 
ing to the public. Hacking the Wi-Fi password obviously violates confidentiality of 
the system. Therefore confidentiality is one security service needed to prevent this 
attack. 

Second, what about privacy? Later, readers may realize that privacy has overlap 
with confidentiality in security services. Nonetheless, privacy is still different from 
confidentiality. Revealing you Wi-Fi password to an attacker is a bad thing of losing 
confidentiality. What’s worse is that if the password contains personal information, for 
example, birthday, bank account password, etc. Hacking such Wi-Fi password violates 
a user's privacy. Therefore, privacy is not a direct target of this attack. However, it may 
be compromised if the password is not properly chosen. 

Third, is integrity violated? In fact, hacking your Wi-Fi password does not violate 
its integrity. The password still remains the same even if the password is disclosed 
to the attacker. If the attacker is able to access the system with a modified password 
without altering system configurations, then the integrity of the original password is 
violated. But the problem would be more on the algorithm that uses the password for 
authentication. This part will be covered later in this book. 

Finally, availability of the system is made for authorized users, i.e. users who 
know the password. Disclosing the password to an attacker does not violate system 
availability. In other words, authorized users can still type in the password and get 
access to it. 


Security services may have overlapped features. For example, confidentiality and privacy 
have overlap since both require some information being restricted from unauthorized 
users. Authenticity and integrity have overlap since data integrity involves message authen- 
ticity. A legitimate wireless system may not deploy all the necessary security services. 
Some of the unprotected security services are caused by improper designs. For example, 
the wired equivalent privacy used in Wi-Fi does not provide access point authenticity to 
mobile stations. The others are caused by limited resources that are reserved for more 
important security targets. For example, data integrity is not provided in the Global System 
for Mobile Communication (GSM) because real-time phone conversation can tolerate 
some loss of data integrity. More importantly, there are not enough resources to provide 
real-time data integrity in GSM. 


2.3 Security Mechanisms 
2.3. Security Mechanisms 


Security mechanisms are methods to achieve security services in a system. X.800 defines a 
list of popular security mechanisms: encipherment, authentication, access control, digital 
signature, data integrity, traffic padding and routing control, and notarization. 


2.3.1 Encipherment 


Encipherment can provide confidentiality for either data or traffic flow information and 
can play a part in or complement a number of other security mechanisms. Encipherment 
algorithms may be reversible or irreversible. 

Reversible encipherment algorithms are also known as encryption algorithms. There 
are two general classifications of encipherment algorithms, symmetric and asymmetric 
ones. Symmetric encipherment algorithms are also known as secret-key encipherment 
algorithms. A secret-key is pre-shared between the two communication entities for both 
encryption and decryption. Either communication entity is able to encipher or decipher 
the same data and produce the same result, thus the name symmetric. Asymmetric 
encipherment algorithms are also known as public-key encipherment algorithms. Despite 
its name, each communication entity has a set of two keys, public key and private key, as 
opposed to the single private key in symmetric algorithms. A message that is enciphered 
using the public key can be deciphered using the corresponding private key, and vice 
versa. That is to say, knowledge of the encipherment key does not imply knowledge of the 
decipherment key, thus the encipherment is asymmetric. 

Irreversible encipherment algorithms may or may not use a key. If a key is used, this key 
may be public or secret. Irreversible encipherment algorithms cannot be used for encryp- 
tion because the original data cannot be recovered. They are often applied to other security 
services, for example, to generate message authentication codes for data integrity. 


2.3.2 Authentication 


Authentication is applied to authenticate a message or a communication entity. If the 
mechanism does not succeed in authenticating the entity, this will result in rejection or 
termination of the connection and may also cause an entry in the security audit trail and/or 
a report to a security management center. There are different techniques to be applied to 
authentication exchanges. One of them is to use authentication information, such as a pass- 
word supplied by a sending entity and checked by the receiving entity. Some authentication 
exchanges rely on cryptographic techniques, where successful cryptographic operations at 
both sides provide authentication. When cryptographic techniques are used, they may be 
combined with “handshaking” protocols to protect against replay attacks. Moreover, char- 
acteristics and/or possessions of the entity may also be used as authentication services, for 
example, biometrics of human users. The choices of authentication exchange techniques 
should depend upon requirements of each case. None of the technique provides a universal 
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solution to all authentication services. In some cases, time stamping and synchronized 
clocks are needed to keep the authentication process fresh. Some cases require only 
unilateral authentication while others may require mutual authentications. Some cases 
require more than just authentication techniques. For example, if non-repudiation service 
is required during an authentication process, then a digital signature mechanism may be 
required in the process. 


2.3.3. Access Control 


Access control is applied to determine and enforce the access rights of the entity depending 
on the authenticated identity of an entity or information about the entity (such as member- 
ship in a known set of entities) or capabilities of the entity. If the entity attempts to use an 
unauthorized resource, or an authorized resource with an improper type of access, then the 
access control function will reject the attempt. The incident may be further reported as part 
of a security audit trail. Access control mechanisms may be based on use of one or more of 
the following: 


e Access control information bases, where the access rights of peer entities are maintained. 
This information may be maintained by authorization centers or by the entity being 
accessed, and may be in the form of an access control list or matrix of hierarchical or 
distributed structure. This assumes that peer entity authentication has been assured. 

e Authentication information such as passwords and possession of which is evidence of the 
accessing entity’s authorization. 

e Capabilities, possession and subsequent presentation of which is evidence of the right 
to access the entity or resource defined by the capability. (Note: a capability should be 
unforeseeable and should be conveyed in a trusted manner.) 

e Security labels, which when associated with an entity may be used to grant or deny access, 
usually according to a security policy. 

e Time of attempted access, route of attempted access, and duration of access. 


An access control mechanism may be applied at either end of a communication asso- 
ciation and/or at any intermediate point. Access controls involved at the origin or any 
intermediate point are used to determine whether the sender is authorized to communicate 
with the recipient and/or to use the required communication resources. The requirements 
of the peer level access control mechanisms at the destination side of a connectionless data 
transmission must be known a priori at the origin, and must be recorded in the security 
management information base. 


2.3.4 Digital Signature 


Digital signature is applied to provide certificate of the identity of the origin. A digital signa- 
ture mechanism defines two procedures, signing a data unit and verifying a signed data unit. 


e Signing a data unit uses information that is private (i.e. unique and confidential) to the 
signer. This process involves either an encipherment of the data unit or the production 
of a cryptographic check-value of the data unit, using the signer’s private information as 
a private key. This process can be successfully performed by the signer only. 
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e Verifying a signed data unit uses procedures and information that are publicly avail- 
able but from which private information of the signer cannot be deduced. This process 
involves using the public procedures and information to determine whether the signa- 
ture was produced with the signer’s private information. This process can be successfully 
performed by any entity who has the public information of the signer. 


The essential characteristic of the signature mechanism is that the signature can only be 
produced using the private information of the signer. Therefore, when the signature is ver- 
ified, it can subsequently be proven to any entity at any time that only the original signer 
could have produced the signature, therefore, the identity of the sender is verified. In addi- 
tion to the unique private information of the signer, signing a data unit may also use time 
stamping and synchronized clocks to set a life span. 


2.3.5 Data Integrity 


Data integrity is applied to provide integrity of the data received or accessed. There are two 
aspects of data integrity: (i) the integrity of a single data unit or field; and (ii) the integrity of 
a stream of data units or fields. Those two types of integrity services require different mech- 
anisms. However, provision of the first type of integrity is a prerequisite of the second type. 
Determining the integrity of a single data unit involves two processes, one at the sending 
entity and one at the receiving entity. 


e At the sending entity, it appends to the sending data unit a value that is generated from 
the data itself. This value may be supplementary information such as a block check code 
or a cryptographic check value and may itself be enciphered. 

e At the receiving entity, it generates a corresponding value and compares it with the 
received one to determine whether the data maintains integrity in transit. 


Data integrity mechanism alone is not enough to protect the system against the replay of 
a single data unit. In a layered network architecture, detection of manipulation may lead to 
a recovery action (for example, via retransmissions or error correction) at that or a higher 
layer. For connection-oriented data transfer, protecting the integrity of a sequence of data 
units (i.e. protecting against mis-ordering, losing, replaying and inserting or modifying 
data) requires additionally some form of explicit ordering such as sequence numbering, 
time stamping, or cryptographic chaining. For connectionless data transmission, time 
stamping may be used to provide a limited form of protection against replay of individual 
data units. 


2.3.6 Traffic Padding and Routing Control 


Traffic padding and routing control can be used to provide various levels of protection 
against traffic analysis. Traffic padding can be effective only if the traffic padding is pro- 
tected by a confidentiality service. Routing control dynamically chooses routes that use only 
physically secure subnetworks, relays, or links. Some routing control allows end-systems 
to instruct the network service provider to establish a connection via a different route, on 
detection of persistent manipulation attacks. Security policy can be set to forbid data carry- 
ing certain security labels to pass through certain subnetworks, relays, or links. The initiator 
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of a connection (or the sender of a data unit) may request to avoid specific sub-networks, 
links or relays. 


2.3.7. Notarization 


Notarization can be used to assure data integrity, origin, time, and destination about data 
communicated between two or more entities. The assurance is provided by a third-party 
notary, which is trusted by the communicating entities, and which holds the necessary 
information to provide the required assurance in a verifiable manner. Each instance of 
communications may use digital signature, encipherment, and integrity mechanisms as 
appropriate to the service being provided by the notary. When such a notarization mech- 
anism is invoked, the data is communicated between the communicating entities via the 
protected instances of communications and the notary. 


2.4 Other Security Concepts 


2.4.1 Levels of Impact 


In system design and implementation, what security features should be included? Which 
security mechanisms should be used to achieve those services? Is it a good idea to provide 
all security features using the most advanced and perhaps most complicated mechanisms? 
It depends. A regular house does not need “24/7” armed on-site guards or bullet-proof 
windows. The level of security to be provided to a communication system shall depend 
on potential impact of a security breach involving in that particular system. NIST FIPS 
Publication (PUB) 199 [10] establishes three levels of potential impact, i.e. low, moderate, 
and high. 

Low level of impact indicates a limited adverse effect on organizational operations, assets, 
or individuals. Adverse effects on individuals may include, but not limited to, loss of pri- 
vacy to which individuals are entitled under law. A limited adverse effect means that, for 
example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation 
in mission capability to an extent and duration that the organization is able to perform its 
primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in 
minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in 
minor harm to individuals. 

Moderate level of impact indicates a serious adverse effect on organizational operations, 
assets, or individuals. A serious adverse effect means that, for example, the loss might: 
(i) cause a significant degradation in mission capability to an extent and duration that 
the organization is able to perform its primary functions, but the effectiveness of the 
functions is significantly reduced; (ii) result in significant damage to organizational assets; 
(iii) result in significant financial loss; or (iv) result in significant harm to individuals that 
does not involve loss of life or serious, life-threatening injuries. 

High level of impact indicates a severe or catastrophic adverse effect on organizational 
operations, organizational assets, or individuals. A severe or catastrophic adverse effect 
means that, for example, the loss might: i) cause a severe degradation in or loss of mis- 
sion capability to an extent and duration that the organization is not able to perform one or 
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more of its primary functions; ii) result in major damage to organizational assets; iii) result 
in major financial loss; or iv) result in severe or catastrophic harm to individuals involving 
loss of life or serious, life-threatening injuries. 

NIST Special Publication (SP) 800-53 [9] provides recommendations for minimum man- 
agement, operational, and technical security controls for information systems based on the 
FIPS PUB 199 impact categories. The recommendations should be helpful to organizations 
in identifying controls that are needed to protect system implementations in general. 


2.4.2 Cryptographic Protocols 


A cryptographic protocol is a sequence of steps precisely specifying the actions required of two or 
more entities to achieve a specific security objective. Primitives used in cryptographic protocols 
are the pieces utilized to build the protocol and include encryption algorithms, hash func- 
tions, digital signature, random number generators, and other algorithms and functions. 
Common cryptographic protocols are used for authentication and key establishment. 

An authentication protocol is a scheme based on the use of cryptographic algorithms 
designed to authenticate the identity of entities. The cryptographic algorithms may include 
symmetric encryption, asymmetric encryption, data integrity, and others. Depending on the 
security requirements, time stamps and/or nonces may also be applied to an authentication 
protocol. 

A key establishment protocol is a secure process by which a shared secret key becomes 
available to two or more parties for subsequent cryptographic use. Key establishment has 
two ways: 


e Key distribution: one party chooses the secret key and the secret key is securely trans- 
ported to the other parties. 

e Key agreement: two or more parties jointly establish a secret key by communicating over 
a public channel, e.g. Diffie-Hellman key exchange. 


Third-party entities may be involved in some key establishment protocols. For example, a 
trusted authority, a trusted third party or a key distribution center. Those third-party entities 
are usually trusted by all entities in the system. They will be involved in all or some of the 
roles, including key generation, key distribution, certificate generation and verification, etc. 

Key management is a set of processes and mechanisms that support key establishment 
and maintenance of ongoing cryptographic keys in a cryptosystem. Key management deals 
with new key generations, updates, exchange, storage, and replacement. Key management 
also deals with trusted third parties, such as assigning roles. 


2.5 Summary 
This chapter gives an overview on the security concepts that will be used in the rest of this 


book for security in wireless communication networks. These concepts include security 
attacks, security services, and security mechanisms. 
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Mathematical Background 


Some mathematical concepts, such as finite fields and number theory, are important in 
developing cryptographic algorithms. Related mathematical background is critical for 
one to understand cryptography such as Advanced Encryption Standard and public key 
cryptographic systems. This chapter introduces the basic mathematical background for 
better understanding cryptography that is applied in wireless security. Section 3.1 gives an 
overview on basic concepts in modern algebra and number theory. Section 3.2 introduces 
modular arithmetic and divisors. Section 3.3 studies finite fields. Section 3.4 overviews 
polynomial arithmetic, followed by Fermat’s little theorem, Euler’s totient function, Euler’s 
theory in Section 3.5, primality testing in Section 3.6, Chinese remainder theorem in 
Section 3.7, and discrete logarithm in Section 3.8. 


3.1 Basic Concepts in Modern Algebra and Number Theory 


In mathematics, number theory is the study of the set of integers and integer-valued func- 
tions. Groups, rings, and fields are the basic elements in modern algebra. A finite field is a 
field that contains a finite number of elements. Finite fields in modern algebra and prime 
numbers in number theory are two of the most important mathematical concepts applied 
in modern cryptography. 


3.1.1 Group 


A group denoted as {G,-} is an algebraic structure consisting of a set of elements (ie. 
G = {a,b,c,...}) together with an operation “-” on the elements in the set G that satisfying 
the four group axioms below this paragraph. The elements can be numbers, polynomials, 
etc. The operator “-” is generic and can refer to any arithmetic operations, such as 
addition, multiplication, etc., or abstracted mathematical operations. Those four group 
axioms, including closure, associativity, identity, and invertibility, are described as follows: 


e Closure: for any two elements a,b € G,a-beEG. 

e Associativity: for any three elements a,b,c € G, (a-b)-c=a-(b-c). 

e Identity: there exists an element e € G, for any elementa € G,e-a=a-e=a. 

e Invertibility: for any element a € G, there exists an element a! € Gsuch thata-a7! =e. 
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Example: {Z, +} is a group, given Z as the set of integers (i.e.,... — 3, -2, -1,0,1, 2,3...), 
and “+” as the arithmetic addition. A test with group axioms is shown as follows: 
— For any integers a,b € Z,a+b € Z. Therefore {Z, +} satisfies closure. 
— For any integers a,b,c € Z,(a+b)+c=a+(b+c). Therefore {Z,+} satisfies 
associativity. 
- For any integer a € Z, it exists 0 € Z such that0+ a =a+0=<a. Thus 
e = 0 € Zis the identity element. Therefore {Z, +} satisfies identity. 
- For any integer a € Z, there exists an integer b = —a € Z such thata+b= 
b +a=0 =e. Thus there exists an inverse element a! = —a for any a € Z such 
that a-a~t =e. Therefore {Z, +} satisfies invertibility. 
All the four group axioms are true. It can conclude that {Z, +} is a group. 


Besides group axioms, there are several other concepts related to groups. In the following, 
we define an abelian group and a cyclic group. 


3.1.1.1 Abelian Group 
An abelian group is a group {G, -} that satisfies an additional commutativity axioms. Com- 
mutativity axiom is defined as follows: 


e Commutativity:a-b=b-a,Va,beEG. 


Example: Is (Z, +) an abelian group? 

One only needs to check if “+” satisfies commutativity due to the fact that (Z,+) is a 
group. For any integers a,b € Z,a +b = b +a, thus the operation “+” satisfies commu- 
tativity. Therefore, (Z, +) is an abelian group. 


Example: Is (R, x) an abelian group, where R is the set of real numbers, “x” is the 
arithmetic multiplication? 

It is easy to show that for any a, b € R, ax b = b xa, thus operation “x” satisfies com- 
mutativity. However, (R, x) is still not an abelian group because it is not a group at all. 
(R, x) does not have an identity element e due to element 0 € R. Without an identity 
element, (R, x) does not satisfy invertibility as well. Therefore, although multiplication 
satisfies commutativity, (R, x) is not an abelian group. It is worth noting that the set of 
real number excluding “O” (i.e. R’ = R\{0}) together with multiplication operator, i.e. 
(R’, x) forms an abelian group. 

Open question: What is the identity element for (R’, x)? 


3.1.1.2 Cyclic Group 

Acyclic group requires that every element in Gis a power of some fixed element a € G. That 
is to say, for a cyclic group (G, -), any b € G, b = ak for some integer k. The exponentiation 
is defined as repeated application of operator “-.” For example, a =a-a-aanda=a"!- 
a-!- a1, wherea-a“! = a° =e € G. Note that a cyclic group must satisfy all group axioms, 
including identity and invertibility. 


3.1 Basic Concepts in Modern Algebra and Number Theory 


Example: (Z, +) is a cyclic group. 

There exists an element a € Zsuch that a" =a+a+---+a. Readers may have already 
found that a = 1 satisfies the power operation in (Z, +). That is to say, for anyn € Z, it 
calculates asn = 1" =14+1+---+1. Therefore (Z, +) is a cyclic group with a = 1. 


Note: A cyclic group is an abelian group. Because for any x = a”, y = a", where m,n € Z, 
it satisfies thatx-y=a™-a" =a™*" = a" -a™ = y-x. Which indicates that commutativity 
is always satisfied for a cyclic group. Therefore, a cyclic group is an abelian group. 


3.1.2 Ring 


A ring consists of a set R with two operations “+” and “x,” and satisfies the three axioms in 
the following. 


(1) (R, +) forms an abelian group. 
(2) (R, x) satisfies conditions of closure and associativity. 
(3) Multiplication is distributive with respect to addition, i.e. 


ax(b+c) =(axb)+(axc),Va, b,c € R, and 
(b+c)xa=(bxa)+(cxa),Va,b,c € R. 


” 


Example: Integer set Z with arithmetic operations addition “+” and multiplication “x’ 
forms a ring. 

It has been shown that (Z, +) is an abelian group previously. For any integers a, b, and 
c, it is multiplication associative, where (a x b) X c= aX (b xc). Integer set Z satisfies 
closure under multiplication. Moreover, any integers a, b, and c € Z satisfy multiplica- 


tive distribution with respect to addition. Therefore, Z with operations “+” and “x” forms 
a ring. 


Two additional concepts based on ring are commutative ring and integral domain, 
described as follows: 


e Commutative ring: if multiplication operation is commutative, i.e. for alla,b € Raxb= 
b xa, then R forms a commutative ring. 

e Integral domain: if multiplication operation has an identity and no zero divisors, then R 
forms an integral domain. 


3.1.3 Field 


A field consists of a set F that forms a nonzero commutative division ring. A ring only 
requires R to be multiplication associative and has multiplication identity. In addition to 
be a ring, F is a field if nonzero elements form an abelian group under multiplication. 
Specifically, for a set F, the conditions are as follows: 


(1) {F,+x} forms a ring. 
(2) (F\{0}, x) forms an abelian group. 
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3 Mathematical Background 


Addition, subtraction, multiplication, and division can be operated in a field without 
leaving the set F. Division “/” is defined with the following rule: a/b = ab7!. 


Example of fields: rational numbers, real numbers, and complex numbers with 
arithmetic operations addition “+” and multiplication “x” are fields. 


Question: Is the set of integers Z with “+” and “x” a field? 
No, because not every element of the set has a multiplicative inverse. In fact, only the 
elements 1 and —1 have multiplicative inverses in the integers. 


3.2 Prime Numbers, Modular Arithmetic, and Divisors 


3.2.1 Prime Numbers 


Prime numbers are in the central concern to number theory. A prime number is a positive 
integer greater than 1 that has no positive divisors other than 1 and itself. 


List of prime number less than 200: 
235711131719 23 29 31 37 41 43 47 53 59 61 67 71 73 79 83 89 97 101 103 107 
109 113 127 131 137 139 149 151 157 163 167 173 179 181 191 193 197 199. 


Prime Factorization: A positive integer n can be written as a product of other positive 
integers, for example, n = a x b x c. Factoring a number is relatively hard compared to mul- 
tiplying the factors together to generate the number. That is to say, it is easy to compute n from 
a, b, and c. However, it is hard to find a, b, and c given n. The prime factorization of a positive 
integer n is to write n as a product of prime numbers, such that: 

n= [[p’. (3.1) 
peP 
where P is the set of all prime numbers, and a, is some positive integer. 


Example: 91 = 7! x 131; 3600 = 2* x 3? x 5?. 


3.2.2 Modular Arithmetic 


For the set of integers, define modulo operation “a mod n” as the remainder when the 
integer a is divided by a positive integer n. Modulo operation is widely applied in cryp- 
tography systems. For a positive integer n, two integers a and b are said to be congruent 
modulo n, ifa = b mod n. The congruence relation is that (a — b) = kn for some integer k. 
For example, 100 = 34 mod 11. In other words, a and b have the same remainder when 
divided by n. The same rule holds for negative a and b. For example, 100 = —8 mod 11, 
—100 = —1 mod 11. Since we have a = kn + b, b is the residue of a mod n. In general, the 
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smallest positive remainder is chosen as the residue, i.e.0 < b < n —1.In this case, modular 
arithmetic operation is “clock arithmetic” such that a finite number of values are results and 
the values loop back from either end. The modular arithmetic operation is written as a mod 
n=b. For any integers a,b,c, and n, the modular arithmetic exhibits the following 
properties: 


Property 1 (a+b) mod n= [(a mod n) + (b mod n)] mod n. 


(11 + 9) mod 7 = [(11 mod 7) + (9 mod 7)] mod 7 = (4+ 2) mod 7 = 6. 


Example: a = 11,b=9 andn=7. | 


Property 2 (a—b) mod n= [(a mod n) — (b mod n)] mod n. 


(11 — 9) mod 7 = [(11 mod 7) — (9 mod 7)] mod 7 = (4-2) mod 7 = 2. 


Example: a = 11,b=9 andn=7. | 


Property 3. (a xb) mod n= [(a mod n) x (b mod n)] mod n. 


(11 x 9) mod 7 = [(11 mod 7) x (9 mod 7)] mod 7 = (4x 2) mod 7 = 1. 


Example: a = 11,b=9 andn=7. | 


Property 4 If(a+b) mod n=(a+c) mod n, thenb=c mod n. 


Example: a = 11,b=9,c=16,andn=/7. 
(11+ 9) mod 7 = (11 +16) mod 7 = 6, thus 9 = 16 mod 7. 


Property5 If(axb) modn=(axc) modn, then b=c mod n, if and only if a is rela- 
tively prime to n, i.e. gcd(a, n) = 1 (to be illustrated in the following). 


Example: a = 11,b=9,c=72,andn=/7. 

(11 x 9) mod 7 = (11 x 72) mod 7 = 1, thus 9 = 72 mod 7; gced(11, 7) = 1. 
Example: a = 7,b = 9,c = 10, andn = 7. 

(7 x 9) mod 7 = (7 x 10) mod 7 = 0, but 9 4 10 mod 7; gcd(7, 7) = 7. 


Modular arithmetic are normally applied within an integer group Z,, that includes inte- 
gers from 0 to n — 1. For example, 3 + 3 = (3 + 3) mod 4 = 2 in Z, and 3 x 3 = (3 x 3) mod 
4=1 in Z,. The full tables of addition and multiplication in Z, = {0, 1, 2,3} are given in 
Figure 3.1. 


3.2.3 Divisors and GCD 


If the result of a modular arithmetic is zero, i.e. a = 0 mod b (for non-zero integers a and b), 
then b is defined as a divisor of a. It is also said that b divides integer a, denoted as bla. 


32 


3 Mathematical Background 


+ 0 1 x 0 1 2 = 3 
0);0O 1 0;0 0 0 O 
1 1 2 3 0 1 0 1 2 3 
2.) 2 3 0 2/0 2 0 
3 3 0 1 2 3 | O. 3 2 


(a) (b) 


Figure 3.1 Modulo example of Z,. (a) Addition modulo 4. (b) Multiplication modulo 4. 


For example, all 1,2, 3,6 are divisors of 6 since 1|6, 2/6, 3|6, and 6|6. Given two non-zero 
integers a and b, finding their greatest common divisor (gcd) is a common problem in num- 
ber theory. For example, divisors of 60 are 1, 2, 3, 4, 5, 6, 10, 12, 20, 30, 60; divisors of 24 are 
1,2, 3,4, 8, 12, 24. Thus gcd(60, 24) = 12. Similarly, gcd(128, 24) = 8. 

Two integers a and b are relatively prime if and only if gcd(a,b) = 1. For example, 
gcd(8,15) = 1 hence 8 and 15 are relatively prime. Readers should be aware that the 
definition of two numbers be relatively prime does not require either number to be a prime 
number. One way to find ged(a, b) is to compare their prime factorizations. 


Example: Compute gcd(18,300). 
e Find prime factorization forms of 18 and 300, such that 
18 = 2' x 37, and 300 = 2? x 31x 5?. 


e Find common prime factors, i.e. 2, 3, and 5. 
e Find the least powers of the common prime factors, i.e. 1 for 2, 1 for 3, and O for 5. 
e Compute ged(18,300) = 24x 3'x 5° =6. 


However, finding prime factorization forms of an integer is a hard problem. Therefore 
finding the greatest common divisor of two integers needs a more efficient approach. 
The Euclidean algorithm is one efficient method to compute gcd(a,b), as detailed in 
Algorithm 3.1. This algorithm is based on the fact that gcd(a, b) = gcd(b, a mod b) where 
a>b. 


Algorithm 3.1 Euclidean gcd(a, b) 
Input: a and b, where a > b; 
Output: gcd(a, b); 
A=a;B=b; 
while B 4 0 do 
temp < (A mod B); 
A=B; 
B= temp; 
end while 
gcd(a,b) —A 
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Example: Use the Euclidean algorithm to compute gcd(3003, 1440). 
3003 = 2 x 1440+ 123 = gcd(1440, 123) 
1440 = 11 x 123 + 87 = ged(123, 87) 
123 = 1x 87 + 36 = gcd(87, 36) 
87 = 2x 36+15 => gcd(36, 15) 
36=2x15+6 = gced(15, 6) 
15=2x6+3 = gcd(6, 3) 
6=2x3+0 = gcd(3, 0) 
Return gcd(3003, 1440) = [3]. 


3.2.4 Multiplicative Inverse 


A multiplicative inverse is defined as follows: given a,b in a finite field, e.g. MOD(p), 
ifa x b = 1in MOD(p), then bis a multiplicative inverse of a in MOD(p). It is also denoted 
as a-b=1 mod p, or b=a™! mod p. Back to the example shown in Figure 3.4c, the 
multiplicative inverse of 1 in MOD(2) is also 1. 


Question: Does a multiplicative inverse always exist for any element a in MOD(p)? 
No, a multiplicative inverse is not guaranteed for any given a. As shown in the example of 
MOD(2), element 0 does not have a multiplicative inverse. Only element 1 has a multi- 
plicative inverse, which is 1 itself. 


How to determine if a multiplicative inverse b exists for an element a in MOD(p)? If it 
exists, how to find b? For example, does multiplicative inverse of 3 exist in MOD(20)? If so, 
what is it? In this example, it is easy to find that 3 x 7 = 21 = 1 mod 20, thus the answer is 7. 
What if a is a very large number, e.g. a binary number in 512 bits? In theory, the answers 
can be found through exhaustive search given unlimited time and computing resources. 
Nonetheless, it is necessary to have a much more efficient way to determine if a multiplica- 
tive inverse exists and locates the exact value. Fortunately, finding the multiplicative inverse 
b for a in MOD(p) is a simple process, by applying the extended Euclidean Algorithm. Note 
that the algorithm is based on the Euclidean algorithm, which computes remainder itera- 
tively. The extended Euclidean algorithm adds a few more steps, as detailed in Algorithm 2. 
Earlier, the multiplicative inverse of 3 in MOD(20) was found by trying 3 x 7 = 1 mod 20. 
Figure 3.2a shows the process of finding 7 using the extended Euclidean algorithm. In this 
example, the extended Euclidean algorithm took three iterations to stop. In the final itera- 
tion, B, returns 1, which indicates that the multiplicative inverse exists for 3 in MOD(20). B, 
in the final iteration is the multiplicative inverse. If the multiplicative inverse does not exist, 
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Figure 3.2 Applying the extended Euclidean algorithm to find multiplicative inverse. 
(a) Multiplicative inverse of 3 in MOD (20). (b) Multiplicative inverse of 6 in MOD (20). 


for example, 6 in MOD(20) has no multiplicative inverse. In this case, the final iteration of 
the extended Euclidean algorithm returns 0. Detailed process is given in Figure 3.2b. 


Algorithm 3.2 Extended Euclidean (p, a) 
Input: p anda 
Output: a7! in MOD(p); 
(A,, A>,A3) = (1,0, p); (B,, By, B3) = (0, 1,4); 
while B, 4 0 or 1 do 
Q= [A;/B3]; 
(T,, T,, T3) = (Ay — QB), Az — QB,, A3 — QB3); 
(A,,A>,A;3) = (B,, By, B3); 
(B,, By, B,) = (1), T,, T3) 
end while 
if B, = 1 then 
gcd(p,a) <— B,; 
a! <B,; 
else if B, = 0 then 
gcd(p,a) <— A3; 
a7! does not exist; 
end if 


3.3 Finite Field and Galois Field 


Finite fields are used in a variety of cryptography algorithms such as the AES encryption 
algorithm and public key cryptography. A finite field is a field with finite number of ele- 
ments. Please note that the fields of rational numbers, real numbers, and complex numbers 
all have infinite number of elements, therefore, not finite fields. A typical example of finite 
field is a ring of integers modulo p, or MOD(p) = {0,1, ...,p — 1} where p is a prime num- 
ber, which can perform addition, subtraction and multiplication. The results of addition 
and multiplication in MOD(7) are shown in Figure 3.3. 

For a finite field, the number of elements is called its order. A special case of Galois field 
is a finite field with an order q = p", where p is a prime number and n is some positive 
integer. A typical Galois field is commonly denoted as GF(p"), e.g. GF(2™), GF(3'*8), 
etc. Two of the most interested finite fields used in cryptography are GF(p) and GF(2"). 
Known from its definition, GF(p) is the set {0,1,...,p-—1} with arithmetic operations 
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+ Oo t 2 3 4 5 6 x Oo 1! 2 3 4 5 6 
0;0 1 2 3 4 5 6 0;0 0 0 0 0 0 +0 
1 1 2 3 4 5 6 O t Oo t 2 3 4 5 6 
2);2 3 4 5 6 0 1 2);0 2 4 6 1 3 5 
3/3 4 5 6 0 1 2 3/0 3 6 2 5 1 4 
4};4 5 6 0 1 2 3 4;0 4 1 5 2 6 3 
> 5 6 0 1 2 3 4 5 |}0 5 3 1 6 4 2 
6;6 0 1 2 4 5 6};0 6 5 4 3 2 1 


(a) (b) 


Figure 3.3. Addition and multiplication in MOD(7). (a) Addition in MOD (7). (b) Multiplication in 
MOD (7) 


1 0O 1 0 1 1 1 
(a) (b) (c) 


Figure 3.4 Operations in GF(2). (a) Addition in GF(2). (b) Multiplication in GF(2). (c) Multiplicative 
inverse in GF (2). 


modulo prime number p. The order of GF(p) is also p. Within GF(p), the operations of 
addition, multiplication, subtraction, and division are performed without leaving the field. 
The simplest form of GF(p) is GF(2) = {0,1}. In GF(2), both addition and subtraction are 
equivalent to exclusive-OR (XOR, @) operation. For example, 1+1=1-1=1@1=0 
in GF(2). Multiplication in GF(2) is equivalent to logical AND (A) operation. For example, 
1xX1=1A1=0 in GF(2). The addition and multiplication operations are summarized 
in Figures 3.4a and 3.4b, respectively. Multiplicative inverse of all elements in GF(2) is 
illustrated in Figure 3.4c. More discussion on multiplicative inverse will be given in 
Section 3.4.3. For other finite fields, addition, subtraction, and multiplication cannot be 
converted to simple XOR or AND operations. 


3.4 Polynomial Arithmetic 


Besides integer arithmetic, polynomial arithmetic is also widely applied in many crypto- 
graphic algorithms. A polynomial f(x) is defined as: 


n 
f@) =a,x" +a, x" 1 +---+a,x+a)= Yaz, 
i=0 


where a,, are the coefficients in the polynomial, and x is the indeterminate. 


3.4.1 Ordinary Polynomial Arithmetic 


Polynomial arithmetic is to apply arithmetic operations to polynomials, for example, addi- 


tion, subtraction, multiplication, and division. For two polynomials f(x) = ¥_, a,x' and 
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Figure 3.6 An example of polynomial division in 
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g(x) =) b;x', the ordinary polynomial addition is defined as follows: 


f®+gX%) = YG; +b)x', for m>n. (3.2) 
i=0 
The polynomial multiplication is defined as follows: 
n+m 
fxg = Vox, (3.3) 
i=0 


where c; = > a,b;_,. For example, given f(x) = x? + 2x +3 and g(x) = 3x* — 2x + 1, the 
polynomial addition and polynomial multiplication are as follows: 
FX) + g(x) = 4x? + 4, 
f(x) X g(x) = 3x4 + 4x? + 6x? — 4x 4+ 3. 
Figure 3.5a and 3.5b shows the process of addition and multiplication in ordinary polyno- 
mial arithmetic. 
Polynomial division is usually calculated using long division. Let f(x) = 3x* + 4x3 + 6x? — 
4x + 3 and g(x) = 3x” — 2x + 1, the polynomial division is calculated as follows: 
f(x) — 3x4+4x3 + 6x? - 4x +3 
g(x) 3x2 —2x+1 
The polynomial division is illustrated in Figure 3.6. 


=x? 42x43. 


3.4.2 Polynomial Arithmetic in Finite Fields 


In Section 3.4.1, the ordinary polynomial arithmetic has been illustrated, i.e. the coefficients 
are in the set of integers. In cryptography, modular arithmetic is usually applied to coeffi- 
cients in polynomial arithmetic, known as polynomial with coefficients in GF(p). That is 
to say, for f(x) = )y., a;x', the coefficients are in GF(p), i.e. a; € GF(p). The polynomial 
addition with coefficients in GF(p) is defined as: 


f+) = > [(a,+b,) mod p]x', for m>n. (3.4) 
i=0 
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Figure 3.7 Ordinary polynomial addition and multiplication. (a) f(x) + g(x) with coefficients in 
GF(2). (b) f(x) x g(x) with coefficients in GF(2). 
Figure 3.8 f(x)/g(x) with coefficients in GF(2). Toners mucaeris ln mea ht Male en 
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The polynomial multiplication with coefficients in GF(p) is defined as: 
n+m 
f@)xs@ = ¥ ox’, (3.5) 
i=0 
where ¢; = ae a,b;_,; mod p ). For instance, let the polynomial arithmetic have coeffi- 


cients in GF(2), then the same coefficients used in the example in Section 3.4.1 cannot be 
applied. In this new example, let f(x) = x? +x +1 and g(x) =x? +x? +1, then the polyno- 
mial addition is computed as: 

fe~+gm) = x? + (2 mod 2)x* +x + (2 mod 2) =x? +x. 
Detail is shown in Figure 3.7a. The polynomial multiplication of f(x) x g(x) is: 

fx) x g(x) = x° + (2 mod 2)x* +x + (2 mod 2)x? + (2 mod 2)x?+x+1 

=O +x4+1. 

Detail is shown in Figure 3.7b. 

The polynomial division f(x)/g(x) with coefficients in GF(p) is to apply long division 
where the operations of coefficients are in GF(p). For f(x) =x°+x+1 and g(x) =x? + 
x? + 1, the polynomial division of f(x)/g(x) in GF(2) is computed as: 

f@) _ x+x4+1 
g(x) x38 +x241 
Detail of the calculation is shown in Figure 3.8. 


=x4+x41. 


3.4.3 Modular Polynomial Arithmetic 


Polynomial can apply modular operations similar to integers. A polynomial f(x) can be 
expressed as: 


f&) = q@&)e(x) + r(x), 
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where r(x) can be interpreted as a polynomial residue from f(x) divided by c(x). By applying 
modular arithmetic, it is expressed as: 
f() mod c(x) = r(x), 
or 


f@) =r) mod cx). 


Example: given f(x) = 4x° + 6x? + 3x4 2, c(x) =x? +1, find r(x). 
Ax} + 6x? + 5x +8 = (4x + 6)(x? +1) + (x + 2) 


Thus r(x) =x + 2. 


Similar to integer arithmetic, if residue r(x) =0, then c(x) divides f(x), denoted as 
c(x) f(x). Equivalently speaking, c(x) is a polynomial divisor of f(x). For example, 
c(x) =x+1 divides f(x) =x? + 2x+1. If c(x) is also a polynomial divisor of another 
polynomial g(x), then c(x) is a common divisor of f(x) and g(x). Now, if this particular 
polynomial c(x) is the polynomial of greatest degree which divides both f(x) and g(x), then 
c(x) is the greatest common divisor of f(x) and g(x), denoted as c(x) = gcd (f(x), g(x)). The 
Euclidean algorithm can be modified to find c(x), as illustrated in Algorithm 3.3. 


Algorithm 3.3 Euclidean gcd(f(x), g(x)) 
Input: f(x) and g(x) 
Output: gcd(f(x), g(x)); 
A(x) = f(x); Bx) = g(x); 
while B(x) 4 0 do 
temp(x) <— (A(x) mod B(x)); 


A(x) = B(x); 
B(x) = temp(x); 
end while 


gcd(f (x), g(x)) — AQ) 


In some cryptographic algorithms, modular polynomial arithmetic computes in finite 
field GF(2”) whose degree is less than n, with coefficients modulo p (i.e. coefficients are in 
GF(p)). Readers should note that there are two moduli involved in a polynomial modular 
arithmetic, (i) a polynomial modulus that calculates the polynomial remainder, and (ii) an 
integer modulus that restricts coefficients to GF(p). 


Example: Given f(x) = x° +x3 + 1 and g(x) = x3 + x? + 1 with coefficients in GF(2), find 
f(x) mod g(x). 

One can apply long division to find the polynomial quotient q(x) and polynomial 
remainder r(x) such that 


f(x) = q(x) - g(x) + (x), 
P+ ta? +xert¢2x?2 41) +072 4x41). 
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Figure 3.9 An example of polynomial modulus. 
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Thus g(x) =x? +x and r(x) =x? +x+1. Details of the calculation are shown in 
Figure 3.9. Note that all coefficients are in GF(2), thus subtraction applied in the long 
division is the same as XOR operation. 


Multiplicative inverse can be applied to polynomials over a finite field. For a polynomial 
f@), if a multiplicative inverse g(x) exists in GF(2"), then f(x) - g(x) = 1 in GF(2”), where 
g(x) = f-1(x). Similar to finding multiplicative inverse for integers, the extended Euclidean 
algorithm can be applied to find a polynomial multiplicative inverse f~!(x) in GF(2"). Ifa 
polynomial g(x) has no divisor other than itself or 1, then it g(x) is an irreducible polynomial, 
or prime polynomial. Arithmetic modulo an irreducible polynomial forms a finite field. 


Example: g(x) = x + 1 is an irreducible polynomial in GF(2). 


Example: g(x) = x* + 1 is not an irreducible polynomial in GF(2). 


P41 =(418 42274241 = 4+ DOF DO? 41) = (41). 


3.4.4 Computational Considerations 


Acommon modular polynomial arithmetic used in cryptography is in GF(2) for coefficients, 
thus the coefficients are either 0 or 1. For this reason, a polynomial f(x) can be represented 
as a bit string with 0’s and 1’s. For example, in GF' (23), (x? + 1) can be represented as (101),, 
(x? +x +1) can be represented as (111),. Polynomial addition can be computed as XOR 
function of strings. For example, 


(x? +1) +07? +x+1) =x $101 111 = (010),. 
Polynomial multiplication is computed as shift and XOR functions. For example, 
(x+1)-07?4+)D=x-0?4+1)41-0? +1) 
=xX4x° 4x41 
© 011-101 =101 <1@101 <0=1010 @ 101 = (1111),. 


Figure 3.10 shows the results of modular polynomial addition in GF(2*) over irreducible 
polynomial f(x) = x? +x +1. Figure 3.11 shows the results of modular polynomial mullti- 
plication in the same finite field. For simplicity, the subscript (-), for binary strings is omitted 
in the illustration. 
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+ | 000 001 O10 O11 100 101 110 111 Figure 3.10 Polynomial addition 
000 | 000 001 010 O11 100 101 110° 111 modulo (cS +x+ 1). 

001 | 001 000 O11 O10 101 100 111 110 
010 | 010 O11 000 O01 110 111 100 101 
O11 | O11. O10 001 000 111 110 101 100 
100 | 100 101 110 111 000 O01 O10 O11 
101 | 101 100 111 110 001 000 O11 010 
110 | 110 111 100 101 010 O11 000 O01 
111 | 111 110 101 100 O11 O10 001 000 


x ] 000 001 O10 O11 100 101 110 111 | Figure 3.11 Polynomial 

000 | 000 000 000 000 000 000 000 000 | Multiplication modulo (x* + x + 1). 
001 | 001 001 010 O11 100 101 110 111 
010 | 000 010 100 110 O11 Ol 111 101 
o11 | 000 O11 110 101 111 100 001 010 
100 | 000 100 O11 111 110 010 101 O01 
101 | 000 101 001 100 O10 111 Ol 110 
110 | 000 110 111 O01 101 O11 O10 100 
111 | 000 111 101 010 001 110 100 O11 


3.4.5 Generating a Finite Field with a Generator 


A generator g may be applied to define a specific finite field F (e.g. GF(2”)) of order q defined 
over an irreducible polynomial f(x), i.e. F = {0,g°,g, ...,g2-7}. The generator g can be found 


as f(g) = 0. 
For example, given the finite field GF(2*) defined over the irreducible polynomial f(x) = 
x3 +x +1, generator g is found by setting 


f@=0e2+2+1=0, 
© g =-g-1=g+41 (the coefficients are in GF(2)). 
Thus, g° is represented with g and g®. For g* where k > 3, they are generated as follows: 
si=se)=setl=g' +8 
S =e )=se +g=e+e =e +et1 
=e )=se tgt)=gtete=g +1 
gs’ =g(e)=e(¢ +1) =9+g=1=8° 
g* = g(e’) = ge") =8 


gk = gk mod7 for any integer k. 
Therefore, generator g defines the entire finite field GF(2*) over f(x) =x>+x+1. The 
power representation, polynomial and binary representation of generator for GF(2°) using 
f(x) =x? +x +1, is shown in Table 3.1. 

In general, for any finite field GF(2"), if its generator is g, then all the elements of the 
finite field can be found by calculating g* = g* m4 @"-) for any integer k. 


3.5 Fermat's Little Theorem, Euler’s Totient Function, and Euler’s Theorem | 41 


Table 3.1 Generator for GF(2?) using f(x) =x? +x+1. 


Power of generator g Polynomial Binary 
0 0 000 
2° 1 001 
g! g 010 
g g 100 
gs gtl 011 
= Ete 110 
g et+gtl 111 
g® e+ 101 


3.5 Fermat’s Little Theorem, Euler’s Totient Function, 
and Euler’s Theorem 


3.5.1 Fermat’s Little Theorem 

Fermat’s little theorem is applied in some public key cryptography and primality testing. 
The theorem is described as follows. 

Theorem 3.1 Fermat's Little Theorem: Given p as a prime number, and a as an integer 
that is not divisible by p, i.e. GCD(a, p) = 1, Fermat’s little theorem gives: 


a’-1=1 mod p. (3.6) 


Proof: First create a sequence of numbers (a, 2a, 3a, ... ,(p — 1)a). Given gcd(a, p) = 1, if 
m-a=n-amod p, then we should have m = n mod p. Since the (p — 1) multipliers are 
distinct and nonzero, the p — 1 multiples of a mod p are distinct and nonzero. Therefore, 
multiply all the congruence together, 


ax2ax3ax...X(p—-l)a=1x2x3...xX(p—1) modp 
=> (p — 1)!a?"! = (p— 1)! mod p. 
Divides (p — 1)! from both sides, 
a’-1 = 1 mod p. 


That completes the proof. # 


Example: Given p = 7 and a = 2, verify Fermat's little theorem. It can be seen that: 


a’! mod p > 2’~* mod 7 = 64 mod 7 =1 > 2’ =1 mod 7. 
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Table 3.2 List of é(n) for 1 <n < 30. 


n 1 2 3 4 5 6 7 8 9 10 
#(n) 1 1 2 2 4 2 6 4 6 4 
n 11 12 13 14 15 16 17 18 19 20 
p(n) 10 4 12 6 8 8 16 6 18 8 
n 21 22 23 24 25 26 27 28 29 30 
p(n) 12 10 22 8 20 12 18 12 28 8 


Multiply a to both sides of Eq. (3.6), Fermat’s little theorem can be alternatively presented 
as follows: 


a? =a mod p,Vae Z*. (3.7) 


Note that for the original Fermat’s little theorem in Eq. (3.6), a is relatively prime to p, while 
the alternatively form in Eq. (3.7) can be applied to any integers. For example, given p = 6 
and a = 4 (gcd(a, p) = 2), it can be seen that 4° = 4096 = 6 x 682+. 4 = 4 mod 6. 


3.5.2 Euler Totient Function ¢(n) 


Before giving the definition of Euler totient function, readers need to understand the con- 
cept of a complete set of remainders and a reduced set. When doing arithmetic modulo 
n, where n is a positive integer, the complete set of remainders is R = {0,...,n—1}. The 
reduced set R’ C R includes all the elements that are relatively prime to n. For example, 
given n = 10, R= {0,1,2,...,9}, and R’ = {1, 3,7, 9}. It is now ready to give the defini- 
tion of Euler totient function. The Euler totient function ¢(n) is defined as the number of 
elements in R’, i.e. é(1) = |R’|. For example, @(10) = 4, since R’ = {1, 3, 7,9} has four ele- 
ments. Table 3.2 lists #(n) for the first 30 positive integers. 

What would be a good way to calculate ¢(n)? In general, one can list R’ and count |R’| to 
find #(n). However, it is not efficient and not even applicable ifn is a large number. On the 
other hand, a few techniques can be applied to compute $(n), listed as follows: 


(1) ¢(p) = p—1, if p is a prime number; 
(2) d(mn) = d(m(n), if ged(m, n) = 1, 
(3) o(p*) = p* — p*1 = p* 1 — 1/p), if p is a prime number and k is a positive integer. 


Example: Find ¢(37), #(10), and #(25). 
o(37) = 37-1 = 36, 
P(10) = $(2 x 5) = (2) (5) = (2 — 1)(5 - 1) =4, 
(25) = $(5*) = 57 - 52-7 = 20. 


3.5 Fermat's Little Theorem, Euler’s Totient Function, and Euler’s Theorem 


With the three techniques, it is able to derive a general formula to compute ¢(n) effi- 
ciently. Recall the prime factorization of an integer, i.e. n = IL, ep Be Note that all p, are 
relatively prime to each other, therefore ¢(n) can be calculated as follows: 


p(n) = (T»") =$¢ () o (P?) o (P?) a 


According to the three techniques mentioned earlier, @(n) can be further calculated as 
follows: 


=n(1-4) (1-2)... (3.8) 
Py P2 


However, in order to find ¢(n) according to Eq. (3.8), prime factorization has to be available. 
Although finding all the prime divisors is a hard problem, it is less stressful than listing all 
elements in R’. 


3.5.3 Euler’s Theorem 
Ifthe Euler totient function is applied to Fermat’s little theorem, it becomes Euler’s theorem, 
stated as follows: 
Theorem 3.2 Euler’s Theorem: If a and n are relatively prime, then 
a®™ =1 mod n. (3.9) 
Proof: Let R’ = {X,,X,... Xpony} be the set of reduced residues of MOD(n), where 


gcd(x,,n) =1, Vx, € R’. Thus aR’ = {ax,,ax,,... AX gn) }- Given gced(a,n) =1, if ax,= 
ax, mod n, then x; = x,. Now, let 


S = {ax, mod n,ax, mod n,... AX pn) mod n}. 
Since X,,X,,..., X pony are distinct and nonzero, S is a permutation of {x,,x,,..., X pon) }, which 
is R’. Therefore 
p(n) p(n) 
[Ix = [a mod n 
i=l i=l 
d(n) p(n) 


> IIx = aT [x; mod n. 
a] ict 
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Divides 1 bay x, from both sides, 
i=l] "1 
a®™ =1 mod n. 


That completes the proof. # 


Example: Given a = 3 and n = 10; a = 2 and n = 11, demonstrate Euler’s theorem. 
For n = 10, it has @(n) = #(10) = 4. Then it can be seen that 


3910) — 34 — 81 =8x10+1=1 mod 10. 
For n = 11, it has 6(11) = 10. Then it can be seen that 
29d — 910 — 1024 = 11x 9341 =1 mod 11. 


Multiply a to both sides of Eq. (3.9), Euler’s theorem can be relaxed as follows: 
a?+1 = q mod n. (3.10) 


Similar to the case with Fermat’s little theorem, the original form of Euler’s theorem 
requires that a be relatively prime to n, but the alternative form does not. 


3.6 Primality Testing 


Prime numbers play an important role in cryptography. However, given an integer n, how 
to verify the primality of it? Ifthe number is relatively small, it is possible to have an exhaus- 
tive search, by dividing with all prime numbers that are smaller than Jn. However, prime 
numbers used in cryptography are usually very large, e.g. 128-bit long. In that case, how 
to test its primality? Fortunately, prime numbers have a few properties, therefore statistical 
primality tests can be applied. Two properties of prime numbers are given as follows: 


(1) Ifp isa prime number and a is a positive integer less than p, then a* mod p = 1 if and 
only if either 


amod p=1, 
or 

amod p= -1=p-—1modp. 
Since 

ab mod p = (a mod p)(b mod p) mod p, 
The two possibilities can be rewritten into 

a” mod p = (a mod p)* = 1. 


(2) Let p be a prime number greater than 2, p can be written as p = 2*q + 1 for some integer 
k > Oand odd integer q. Let a be an integer such that 1 < a < p — 1, then one of the two 
following conditions is true. 
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(a) a? =1 mod p. 
(b) There exists an integer j, for 0 <j <k—1, where a”? = p—1 mod p. 


The Miller-Rabin algorithm is a primality testing algorithm based on the two properties 
of prime numbers. The algorithm is shown in details in Algorithm 3.4. 


Algorithm 3.4 Miller-Rabin Algorithm 
Input: An odd integer n for primality testing; 
Output: “Composite” if n is composite, otherwise “Probably Prime”; 
Find integer k, q where k > 0, q is odd, and (n — 1) = 2*q; 
a «Random integer, where 2 <a<n-1; 
if a1 modn = 1 then 
Return “Probably Prime”; 
else 
for j =0tok—1do 
if a”? mod n = n—1then 
Return “Probably Prime”; 
end if 
end for 
Return “Composite”; 
end if 


Example: Apply the Miller-Rabin algorithm to test the primality of n = 37. 

Given n = 37,ithasn—1=36=2?x9= 2*q, thus k = 2 and q = 9. Randomly choose 
a = 3, one can find 3° mod 37 = 36 = —1, and continue the “For Loop,” and computes 
32°9 mod 37 = 36, which returns “Probably Prime.” 


Example: Apply the Miller-Rabin algorithm to test the primality of n = 35. 

Given n = 35, we haven—1= 34= 2x 17, thus k = 1 and q = 17. Randomly choose 
a = 3, it will find 317 mod 35 = 33 that is neither 1 nor 34, thus the algorithm returns 
“Composite.” 


If the Miller-Rabin algorithm returns “composite” then the testing number is definitely 
composite. However, if the Miller-Rabin algorithm returns “probably prime” then the 
testing number is not guaranteed to be prime. One possibility is pseudo-prime number. 
A pseudo-prime number is a composite number that also satisfies the properties. For 
example, given a composite number n = 221 = 13 x17, then n—1 = 220= 2? x 55, thus 
k=2 and q=55. If the Miller-Rabin algorithm starts with a = 21, then it computes 
21°5 mod 221 = 200, which returns “Probably Prime.” The algorithm then computes 
21° mod 221 = 220, which also returns “Probably Prime.” However, 221 = 13 x 17 is 
a composite number thus the primality testing fails to detect it with a = 21. However, it 
does not make the Miller-Rabin algorithm useless. The probability that the Miller-Rabin 
algorithm returns “Probably Prime” given a pseudo-prime number is less than 1/4. In other 
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words, the Miller-Rabin algorithm can still be trusted with more than 75% confidence is it 
returns “Probably Prime.” In order to further reduce the probability of false positive output, 
a user may run the Miller-Rabin algorithm multiple times with different input a. If the 
Miller-Rabin algorithm is repeated with t different a values, then the probability of giving 
false positive result is reduced to 4~' . Thus the probability of a correct primality testing 
result of n after ¢ times is 1 — 4~‘. For example, if running the Miller—-Rabin algorithm 10 
times with all results “Probably Prime,” then the probability of getting a real prime is more 
than 1 —47!° > 0.99999. That is to say, after testing for 10 times with different initials, if 
all the return results are “Probably Prime,” one can trust that n is prime with 99.999% 
confidence. 


Prime Distribution: Prime number theorem states that a prime number occurs roughly 
every (Inn) integers. Since all the even numbers (other than 2) can be ignored, only 
(0.5 Inn) numbers of size n need to be tested to locate a prime number. For example, if 
a prime on the order of magnitude of 21° then about 0.5 In(2?™°) ~ 69 trials would be 
needed to locate a prime number. Readers need to note that (0.5 In) only indicates 
an average value. Two prime numbers are sometimes close to each other, and far apart 
other times. 


3.7. Chinese Remainder Theorem 


One of the most useful results in number theory is the Chinese remainder theory (CRT), so 
called because it is believed to have been discovered by an ancient Chinese mathematician. 
It is useful in speeding up computations in the public key crypto algorithms such as RSA. 


Theorem 3.3 Chinese Remainder Theorem (CRT): If an integer M can be expressed as 


k 
M=[[m, (3.11) 
i=l 
where m, are pairwise relatively prime, i.e. for all i,j € [1,k], i # j and gcd(m;,mj) = 1. Then 
every integer in the set Z,, = {0,1,...,M — 1} can be reconstructed from residues w.r.t to those 
k numbers. 


CRT makes two assertions about any integer A, described as follows: 


(1) For any given integer A where 0 < A <M, there is a unique sequence of integers 
Q,,d5,..., a, that represents it. For any given sequence a), a,,...,a,, there is a unique 
integer A € Z,,. 

(2) Operations performed on the elements of Z,, can be equivalently performed on the cor- 
responding sequence a,,a,,...,a, by performing the operation independently in each 
coordinate position in the appropriate system. 


According to CRT, for any integer A € Z,,, the exact sequence of integers a,,a,,..., a, 
are calculated as follows: 


a; =A mod m,, for 1 <i<k. (3.12) 


3.7 Chinese Remainder Theorem 


With a given sequence a, d,,..., a,, the integer A is reconstructed in the following steps: 


(1) First, calculate M; such that 


M,= ) fori<i<k. (3.13) 
mM; 
(2) Since ged(M,, m,) = 1, there exists a multiplicative inverse M~' for M, modulo m,. Find 
M-" for all M;, and calculate c; as follows: 
c; = M, x (M;' mod m,), for 1 <i<k. (3.14) 


(3) Finally, reconstruct A as follows: 


k 
A= (Yaxei) mod M. (3.15) 


i=l 
As it shows, CRT provides a way to manipulate numbers modulo M in terms of a sequence 

of smaller numbers. However, readers may note that the factorization of M is needed before- 
hand. Assuming that two large integers A and B have been represented using their unique 
sequence of integers, such that: 

A ay,...,d,, and 

Bo by,..., dy, 
CTR enables us to operate on the small integers instead of A and B directly. For example, 
(A + B) mod M can be calculated as follows: 

(A +B) mod M © ((a, +b,) mod m,... (a, + b,) mod m,) , (3.16) 
and (A x B) mod M can be calculated as follows: 

(A x B) mod M © ((a, x b,) mod m,,...,(a, x b,.) mod m,) . (3.17) 


For example, given A = 12345, B = 23456, M = 6873 and the factorization such that 6873 = 
79 x 87, compute (A + B) mod M. CRT will be applied first and then a solution from direct 
computation will be used for verification. First, m, = 79 and m, = 87 are given, thus M, 
and M, will be calculated as follows: 


M 


M, = — =87, 
mM, 

Mea tt 79. 
mM, 


Second, the multiplicative inverse M7! and M; 1 are found by applying the extended 
Euclidean algorithm. The values are as follows: 

M;' mod m, = 10, 

M;' mod m, = 76. 
One can easily verify that 87 x 10 = 1 mod 79, and 79 x 76 = 1 mod 87. Before computing 
(A + B) mod M, two unique integer sequences need to be established for A and B respec- 
tively. For A, its unique integer sequence is calculated as follows: 

a, =A mod m, = 21, 

a, =A mod m, = 78. 
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And for B, its unique integer sequence is calculated as follows: 
b, =B mod m, = 72, 
b, =B mod m, = 53. 
With the two integer sequences (a,,a,) and (b,,b,), it is ready to compute (A + B) mod 


M. Assuming the result is C with unique integer sequence (c,, c,), which are computed as 
follows: 


e = (a, +b,) mod m, = (21+ 72) mod 79 = 14, 
C, = (a, +b.) mod m, = (78 + 53) mod 87 = 44. 
To reconstruct C from (c,,¢,), it needs to be calculated as follows: 
C =(c, XM, xX Mj’ +c, XM, x M) mod M, 
= (14 x 87x 10 +44 x 79 x 76) mod 6873, 
= 1436. 


Now, verify the result by compute (A + B) mod M directly, such that: 
(A +B) mod M = (12345 + 23456) mod 6873 = 1436. 


The results are the same. In this example, since the integers are relatively small, CRT seems 
less efficient than computing directly. However, if the integers are very large (e.g. in the 
order of 512 bits), CRT can significantly speed up the modular operations. 


3.8 Discrete Logarithm 


One last concept to introduce in this chapter is discrete logarithm. Before getting into it, one 
needs to understand what is a primitive root modulo a positive number n. Euler’s theorem 
gives that a? =1 mod n if ged(a,n) =1. Thus for a” =1modn, there must exist 
m = ¢(n) that satisfies the requirement. Note that m may also be smaller than ¢(n). If 
m = ¢(m) is the smallest solution, then a is called a primitive root modulo n. If n is a prime 
number, then successive powers of a generate the group of units modulo n. For example, 
a = 3 isa primitive root modulo n = 7, because 


3° =1 mod7, 
3! = 3 mod 7, 
3? =2 mod 7, 
33 =6 mod 7, 
34 =4 mod 7, 
35 =5 mod 7, 
3° = 1 mod 7. 


It is obvious that the group of units modulo 7 (i.e. {1, 2,3, 4, 5, 6}) is generated by powers 
of 3. Therefore, 3 is a primitive root modulo 7. Primitive roots are useful in cryptography; 
however, they are relatively hard to find especially for large prime numbers. 


3.9 Summary 


After knowing the concept of primitive root, it is ready to introduce the discrete logarithm. 
The discrete logarithm is the finite-group-theoretic analogue of ordinary logarithms. For 
real numbers x,y, and z, one can define y = log,z ifx” = z, with positive x # 1. For integers 
x, y, Zz, and n, if 

» =zmod n, (3.18) 
then, one can define discrete logarithm as 


y =d log, ,Z, (3.19) 
where d log indicates discrete logarithm. If x is a primitive root modulo n, then y always 
exists. Recall the example that 3 is a primitive root modulo 7. Then, with given 

3” = 4 mod 7. 

One can find that 

y=d log; 7 4=4. 

In fact, one can find all d log, ,z for 1 < z < 6 as follows: 

y =dlog,,1=0. 

y=dlog,,2=2. 

y=dlog,;,3=1. 

y=dlog,,4=4. 

y=dlog,;,5=5. 

y =dlog,, 6 =3. 

If x is not a primitive root modulo n, then a unique discrete logarithm modulo n may not 


exist. It is also worth noting that while exponentiation is relatively easy, finding a discrete 
logarithm is generally a hard problem. 


3.9 Summary 


In this chapter, several basic concepts in number theory and modern algebra are introduced. 
Prime numbers, finite fields as well as polynomial arithmetic operations are widely applied 
in security algorithms. The mathematical concepts given in this chapter will be used in 
future chapters of this book. Readers are encouraged to have further study in those concepts 
if necessary [11-13]. 
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Cryptographic Techniques 


4.1 Symmetric Encryption 


Symmetric encryption was the only type of encryption in use before the development of 
public-key encryption in the 1970s. Symmetric encryption is also referred to a conven- 
tional encryption or single-key encryption [14, 15]. It remains the most widely used of 
the two types of encryption. For simplicity, the basic terminology of cryptographic tech- 
niques is listed in Table 4.1. The symmetric cipher model is shown in Figure 4.1. A single 
key is pre-shared between the sender and the receiver. The sender and the receiver can 
either encrypt or decrypt messages using the pre-shared key. Normally, the sender runs an 
encryption algorithm that translates the input plaintext to its corresponding ciphertext. The 
ciphertext is then transmitted to the receiver side. The receiver runs a decryption algorithm, 
which is the inverse of the encryption algorithm, with the same pre-shared key to decrypt 
the ciphertext into plaintext. If the pre-shared key is K, the plaintext is X, the ciphertext is 
Y, the encryption/decryption algorithms are E/D, and then the encryption and decryption 
processes are 


E,(X) = Y, (4.1) 
and 
D,(¥Y) =X. (4.2) 


A symmetric cipher model requires that the encryption algorithm is strong enough to 
provide security. It also requires that the pre-shared key is known only to the sender and 
the receiver. Moreover, the encryption and decryption algorithms must be known to the 
sender and the receiver beforehand. Finally, a symmetric cipher requires a secure method 
to distribute the pre-shared key. 


4.2 Classical Cryptographic Schemes 


In this section, we introduce a group of traditional cryptographic schemes. A study of these 
techniques helps to illustrate the basic approaches to symmetric encryption used today 
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Table 4.1 Basic terminology of cryptographic techniques. 


Term Definition 
Plaintext Original message 
Ciphertext Coded message 
Cipher Algorithm for transforming plaintext to ciphertext 
Key Information used in cipher known only to sender/receiver 
Encipher (encrypt) Converting plaintext to ciphertext 
Decipher (decrypt) Recovering ciphertext to plaintext 
Cryptography Study of encryption principles/methods 
Cryptanalysis Study of principles/methods of deciphering ciphertext 
without knowing key 
Cryptology Field of both cryptography and cryptanalysis 
Pre-shared | Transmission | Pre-shared 
secret key | ' secret key 


ie | : 
ere y| 
Plaintext input Dy ptatas as -—»Plaintext output 


Encryption Decryption 
algorithm : ' algorithm =! 


Figure 4.1 Symmetric cipher model. 


and the types of cryptanalytic attacks that must be anticipated. All classical cryptographic 
schemes are symmetric encryption algorithms with techniques of substitution and trans- 
position. A few classical cryptographic algorithms will be presented in details, such as 
Caesar cipher, monoalphabetic cipher, the Playfair cipher, polyalphabetic cipher, Vigenére 
cipher, etc. 


4.2.1 Classical Substitution Ciphers 


The two basic building blocks of all encryption technique are substitution and transposition. 
In substitution based ciphers, characters of plaintext are replaced by other letters, numbers, 
or symbols. If plaintext is viewed as a sequence of bits in binary format, then substitution 
involves replacing plaintext bit patterns with ciphertext bit patterns. 


4.2.1.1 Caesar Cipher 
Caesar cipher is one of the earliest known substitution ciphers [16]. The original Caesar 
cipher replaces each letter with the third letter after. Nonetheless, any cipher using a simple 


4.2 Classical Cryptographic Schemes 


letter shift can be called a Caesar cipher now. In the original Caesar cipher, the transforma- 
tion is defined in Table 4.2. 

Given a plaintext consists of English letters, its corresponding ciphertext can be found by 
substituting the letters, for example, 


Plaintext: see you in the midnight 
Ciphertext:. VHH BRX LQ WKH  PLGQLUKW 


Alternatively, Caesar cipher can be defined as modulo arithmetic mathematically. Each 
letter or character can be mapped to a number, such that a = 0,b =1,...,z = 25. Let k be 
the number of letters to shift (i.e. the symmetric key), then the encryption and decryption 
of Caesar cipher are calculated as: 


c= E,(p) = (p +k) mod 26, (4.3) 
and 
p=D,(c) = (c—k) mod 26, (4.4) 


where p and c are plaintext and ciphertext, respectively. E,(-) and D,(-) are encryption and 
decryption functions, respectively. 


Cryptanalysis of Caesar cipher Caesar cipher has only 26 possible keys, of which only 25 are 
of any use, since mapping “a” to “A” (i.e. k = 0) does not obscure the message. Therefore, 
a brute force search can be applied to try all possible keys (shifts) in turn until the original 
message can be recognized. For example, given a ciphertext “ZIVC IEWC XS JMRH,” we 
can find that the key (shift) is “4” and the original message is “very easy to find.” An original 
message (i.e. English or other language) is usually easy for humans to recognize. However, 
it is harder to computers to detect valid messages. Furthermore, if the original message is 


compressed data, it would be much harder to recognize. 


4.2.1.2. Monoalphabetic Cipher 

Caesar cipher is far from secure with only 25 possible keys. Monoalphabetic cipher maps 
each plaintext letter to a distinct ciphertext letter. Hence the key of monoalphabetic cipher 
is 26-letter long. In comparison, Monoalphabetic cipher achieves a dramatic increase in 
key space. For example, with the key given in Table 4.3, a plaintext can be encrypted by 
substituting the letters as follows: 


Plaintext: if we wish to _ replace letters 
Ciphertext: OY CT COLI MG KTHSZET STMMTKL 


Table 4.2 Transformation of Caesar cipher. 


Plaintext a bcdefghijkimno»pgqrstuvVvwxyaz 
Ciphertext DEF GHIJKLMNOP QRS TUVWXKYZABC 
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Table 4.3. An example key of monoalphabetic cipher. 


Plaintext abcdefghijktimno»pgqrst uvwxyz 
Ciphertextt Z A ERTYUIOPQSDFGHIJKLMWkXKCVBN 


Cryptanalysis of monoalphabetic cipher monoalphabetic cipher has a total of 26!-1~* 
4 x 107° keys. With so many keys, brute force is not feasible to crack the key in general. 
Does this mean that monoalphabetic cipher is secure? Unfortunately the answer is 
NO. The weakness is due to language characteristics. Human languages are redundant 
(English is discussed as an example here). We don’t actually need all the letters in order 
to understand written English text. For example, “ths s nt dffclt” (“this is not difficult”) 
can be understood although the vowels were removed. The redundancy is also the reason 
we can compress text files. The computer can derive a more compact encoding without 
losing any information. The basic idea is to count the relative frequencies of letters, and 
calculate the frequency of each letter. The frequency of each letter can reveal the letter 
itself, because letters are not equally commonly used. In English, “E” is by far the most 
common letter, followed by “T,” “R,” “N,” and so on. Some letters (e.g. “Z,” “J,” etc.) are 
rarely used. Figure 4.2 shows the frequency distribution of English letter [17]. 
For example, given ciphertext: 


Z COKTSTLL EGDDWFOEZMOGF FTMCGKQ OL Z EGDHWMTK 
FTMCGKQ MIZM WLTL Z COKTSTLL EGFFTEMOGF WLWZSSB 
KZROG EGDDWFOEZMOGF ATMCTTF FTMCGKQ FGRTL. 


By counting the frequency of each letter, one may find that “T,” “M,” and “Z” has appeared 
14, 10, and 8 times, respectively. Therefore, guess that “T”“e,” “M”->“t”, and “Z” “a”. 


14 T T T T T T T T T T T T T T T T T T T T T T T T T T 
127 
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£ 6.99 675 
5 6.b9 5.99033 i 
xo) 
6 
2 4.25 
> 4b 4.03 | 
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7 2.41 ; 
aL a 2302 1.93 ro 1.97 | 
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0 pte te a a a POPS TU f.91 cia ta tha Hs 12S] 10.07 
A BCOD EF GHtIJK LELMN OP QRS TUVWX Y Z 

Figure 4.2 English letter frequency distribution. Source: Modified from Lewand [17] . 
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Then “MIZM”>“T?AT” reveals that “I’”-“h”. One may keep proceeding with trial and 
error for the rest of the analysis. Shortly, the original message is revealed: 


a wireless communication network is a computer 
network that uses a wireless connection usually 


radio communication between network nodes 


Monoalphabetic cipher maps one letter to another, thus the frequency distribution of 
each letter is only shuffled. In order to reduce the “spikiness” of natural language text, one 
approach is to encrypt more than one letter at once. 


4.2.1.3. Playfair Cipher 

Playfair cipher treats two letters in the plaintext as a single unit and translates the unit into 
ciphertext letters. Playfair cipher was invented by Charles Wheatstone in 1854, but was 
named after his friend Baron Playfair [18]. Playfair encryption/decryption is based on the 
use of a 5 x 5 matrix of letters constructed using a keyword. The keyword is used as the key. 
The rules for filling in this 5 x 5 Playfair matrix are listed in the following. 


e Left to right. 
e Top to bottom. 

e First with keyword after duplicate letters have been removed. 
e Then with the remaining letters in alphabetic order. 

e “I/J” are used as a single letter. 


For example, given keyword “DECEMBER,” the 5 x 5 matrix is the one in the following: 


The encryption of Playfair cipher is performed two letters at a time using the 5 x 5 matrix 
according to the rules as shown in the following: 


e If a pair is a repeated letter, insert a filler like “X,” e.g. “ballon” is encrypted as 
“ba 1x lo on.” 

e If both letters fall in the same row of the matrix, replace each with letter to its right (wrap- 
ping back to start from end). 

e If both letters fall in the same column of the matrix, replace each with the letter below it 
(again wrapping to top from bottom). 

e Otherwise, each letter is replaced by the one in its row in the column of the other letter 
of the pair. 


For instance, using the matrix illustrated earlier, “mb” — “BD,” “dv” > “RD”, “at” > “GQ,” 
and “od” — “IB” or “JB.” Decryption in Playfair cipher works exactly in reverse. Readers 
shall be able to decrypt the example pairs on your own. 
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Cryptanalysis of Playfair cipher Security is much improved over monoalphabetic cipher since 
it has a total of 26 x 26 = 676 diagrams. It would need a 676 entry frequency table to analyze 
verses 26 for a monoalphabetic. Playfair cipher was widely used for many years by US and 
British military until World War I. However, Playfair cipher can be broken given just a few 
hundred letters because the ciphertext still has much plaintext structure. 


4.2.1.4 Polyalphabetic Cipher 

Polyalphabetic cipher improves security by using multiple cipher alphabets. It makes crypt- 
analysis harder with more alphabets to guess and flatters frequency distribution. Polyalpha- 
betic cipher uses a key to select which alphabet is used for each letter of the message. It uses 
each alphabet in turn and repeats from start after the key is used up. Vigenére cipher is the 
simplest polyalphabetic substitution cipher. It effectively uses multiple Caesar ciphers. The 
key of Vigenére cipher is multiple letters long, s.t. K = k,k,, ...,k,. The ith letter specifies 
the ith alphabet to use. After the first d letters in a message, it repeats from the start. Since 
Vigenere cipher is a symmetric cipher, its decryption simply works in reverse. For example, 
given keyword “wireless,” we then have the key K = 22,8, 17,4, 11,4, 18,18, ..., Acomplete 
example is give in the following. 


Key: w i r e 1 e s s w i r e 1 e 
Plaintext: p te) 1 y a 1 p h a b e t i c 
Ciphertext: L WwW Cc Cc L P H Z WwW J Vv x T G 


Key: s s w i r e 1 e s s w i r e 


Plaintext: c i 


uo) 
(o) 
mt 
= 
B 


p r fo) Vv e s 
Ciphertext: U A L P Vv Vv T Q H J K D Vv W 


Implementing a polyalphabetic cipher by hand can be tedious. Various aids were devised 
to assist the process. Saint-Cyr Slide is a simple manual aid that was popularized and 
named by Jean Kerckhoffs, who published a famous early text “La Cryptographie Militaire” 
(Military Cryptography) in 1883. He named the slide after the French National Military 
Academy where the methods were taught. Saint-Cyr Slide is a slide with repeated alphabet. 
It lines up plaintext “A” with key letter, e.g. “C.” Then, it reads off any mapping for key 
letter. The slide can also be bended round into a cipher disk or expanded into a Vigenére 
tableau, as shown in Figure 4.3. 


Cryptanalysis of polyalphabetic cipher The Vigenére cipher had been le chiffre indéchiffrable 
(the unbreakable cipher) for several centuries. As a result of a challenge, it was broken 
by the British cryptographer Charles Babbage in 1854. However, the cracking technique 
was not published during that time. In fact, the technique was finally made public in the 
1970s. The Vigenére and related polyalphabetic ciphers have multiple ciphertext letters for 
each plaintext letter, thus letter frequencies are obscured. However, it does not completely 
obscure the underlying language characteristics. The key to breaking them was to identify 
the number of translation alphabets, and then attack each separately. 
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> 
ie] 
i?) 
12] 
m 
= 
co) 
x= 
a 
Az 
r 
= 
Z 
[e) 
vU 
3) 
D 
n 
=j 
Cc 
< 
= 
x 
< 
N 


—/|Z/O| TM] M/OlSO]/W/ SIN] K| x} S/<|C}]Alwm}/ D/O} vlO]/ZjZirjalje 
C]—| ZX} OQ) n|M/O/O| Ww] S|N|K]/ x} S/<|/C}]Alw!| Dio] VIO; Z\=\r-|xA 
AlC|—-|XLIOl mM M/VlO|W] SIN] «|x| FS} <|C}]Alw/ D/O} Vl O}Z}=zIr- 
HlAlC]—-/LIO] TM M|OlO| DB] S| N|«K| <x] Sl <|/C]Al/w|/ DO} vljo;Zj/=z 
Zlr-j|xA\c]—|L]O}m\m|olo]wa/S|N|<K|x]E/<|clAlwm|/Dlo}| vjo/z 
Zl/=l-HJ/A]Cl—-/ LJ Ol|m|M|Os/O| wo) S| N]K] x] S]</C}/Alwm]/ Dio} vjo 
O/Z/E|rHf}AlCl—-| ZO} m/M|O;O/Wl| SIN] <K</ x] Sl/<|C]Al/wm/Dlo}v 
VIO/ZISI/r-l/Alc}—-| LI O| ma) M|O|O| wa] SIN] K] x} S/<|/ClAljwm|/Dlo 
O}Vl/O/Z/Elr}Alc}/—-/L]@}| ml] mM) oso] W/SI|N\|<K)x|S}<|c|A;w}|D 
DIO} V/O;/Z/S|r-}A)cl—-| TJ O} m/M|O/O] al S| N|<| x] S]</C]Alw 
O|D/O}VIO/Z/Z/r- | Alc }]—| LZ] @| m|M/OsO]@W] SIN} «| x} Sl} <|cja 
A]Mm}D)O| D/O} Z/=E\r-|xAlc]—| TL} @| nm] mMJ/os/o]| wl] S| N|<K] x] SE} </c 
ClAlwm|/D/O] vO} Z\=Z/r-|A]c}/—-| LJ @|m}/m/olo| wl] S|N|«K|x]/E/< 


N|<|</E}</C}Al/M/DlO}] vjO;/Z\/ Z| r-}/Alcl]—-|L/O| mlm/ojo|as> 
N/</x<|/E]<|Cl/Alw|/ DO} VjO}/Z/=\r-}Alc}—-|z]O|m|mjojo|al|> 
DSIN|<| <x} E]<]/C]Alo|DlO} vO; Z\/Z|r-jaAlc]}—|T] OQ} nm} m/oj/o|w 
D/SIN|K]/X}/S/</ClAlwm]/D/O}] V/O|Z}/S/r-}/A]c}—| Ll oO} m\|mjojo 
O]D/S|N|<] Xx] El] </ Cla] oO] D/O} VlO}/Z/=Z/r-}/A}c}|—-|L}@Q\/an|mjo 
VDlO/W|/SIN| <K]| x} SE) <|C}]Alwm}/ D/O} vO] Z/Zz/r-jA;c}]—|L}@|n\m 
MOJO; DW) SIN] <]x<| S| <]C]A}w/ D/O} vO} Z/=/r-]| aA] c}—|L/@|n 
aIM/ OO} DB] S|N|K|x<|S}<|/C}/A/wm| D/O] VO] Z]/Z/r-j/A}c}|—-|zjo 
OQ} TN) M|Os/O] WB] SIN| <|x<}/ S| <|/C)/Alw}/ D/O} vJO]/Z/=S/rjalc|—-|=z 
XO} T)M/O/O| WB] S|N|K] x] ES} </ClAlw|/ DO] vjO/Z/=}r-jaAlc}j— 
</C/A|M/D/O} VlO}/Z\Z/r-jA}cC/—| LI] O| ml mM/oJo|w/ S| N|«K|x]/= 
Sl</ClAl/wm]/ D/O} v/O;/Z/S/r-}Asc}—-| TL] @} m|m|o/o]w] >| N|<|x 
</El<|ClAlw]/ D/O) VIO/Zl/=Elr-j/A\c}—-|/L}@| am) m/oso}a/S|NI|~K 
<|x</E/<|/ClAlm/ D/O} VO; Z/Z/r-jA}c]—-|/T]@O}|m|mM/oso|w|/ >In 


Figure 4.3. Vigenére tableau. 


4.2.1.5 Autokey Cipher 

Proposed by Vigenére, the autokey cipher took the polyalphabetic idea nearly to the extreme 
since it wanted as many different translation alphabets as letters in the message being 
sent [19]. In the Autokey cipher, the keyword is prefixed to message as the key. Knowing the 
keyword can recover the first few letters that will be used in turn on the rest of the message. 
For example, given a keyword “WIRELESS” and a message “autokey cipher example.” First, 
the keyword is prefixed to as much of the message as needed. When deciphering, one should 
recover the first eight letters using the keyword “WIRELESS.” Then, instead of repeating 
the keyword, the recovered letters from the message “AUTOKEYC” are used to recover the 
next eight letters, and so on. The complete encryption is shown as follows: 


Key: wi ii R E L E S S A U 
Plaintext: a ust o k ie y c i p 
Ciphertext: W CC K S Vv I Q vU I J 
Key: T O kK E Y C I P H £E 
Plaintext: h e r e x a m op 1 e 
Ciphertext: <A S BI vc eU «ES I 


The problem of the Autokey cipher is that the same language characteristics are used by 
the key as the message. That is, a key of “E” will be used more often than “T,” etc. Hence 
an “E” encrypted with a key of “E” occurs with probability 0.1275? = 0.01663, about twice 
as often as a “T” encrypted with a key of “T.” Cryptanalysis has to use a larger frequency 
table. However, given sufficient ciphertext, the autokey cipher can still be broken. 
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4.2.1.6 One-Time Pad 

One-time pad is an evolution of the Vernham cipher, which was invented by Gilbert Vern- 
ham in 1918. The Vernham cipher used a long tape of random letters to encrypt the mes- 
sage. An Army Signal Corp officer, Joseph Mauborgne, proposed an improvement using a 
random key that was as long as the message with no repetitions, which can totally obscure 
the original message. One-time pad produces a random output that bears no statistical rela- 
tionship to the plaintext. Because the ciphertext contains no information about the plain- 
text, there is no way to break the code since any plaintext can be mapped to any ciphertext 
given some key. Although one-time pad offers complete security, it has two fundamental 
difficulties in practice. One difficulty is the practical problem of making large quantities of 
random keys. The other is the problem of key distribution and protection, where for every 
message to be sent, a key of equal length is needed by both sender and receiver. Because 
of these difficulties, one-time pad is of limited usage, and is only useful for low-bandwidth 
channels requiring very high security. 


4.2.2 Classical Transposition Ciphers 


All the techniques introduced in Section 4.2.1 involve the substitution of a ciphertext sym- 
bol for a plaintext symbol. Another type of mapping is achieved by performing some sort of 
permutation on the plaintext letters. This technique is referred to as a transposition cipher, 
and forms the second basic building block of ciphers. The core idea is to rearrange the order 
of basic units (letters/bytes/bits) without altering their actual values. 


4.2.2.1 Rail Fence Cipher 

The simplest transposition cipher is the rail fence cipher. The technique is to write down the 
plaintext as a sequence of diagonals and then read off as a sequence of rows. For example, 
to encrypt ‘rail fence cipher example’ with a rail fence of depth 2, first write message letters 
out diagonally over a number of rows, i.e. 2 in this example. 


ie i f n e i h r x m 1 


a 1 e c c p e e a p e 


Thus, the ciphertext is “RIFNEIHRXMLALECCPEEAPE.” A transposition cipher is easy 
to be recognized because it has the same letter frequencies as the original plaintext. For the 
type of transposition just shown, cryptanalysis is fairly straightforward by laying out the 
ciphertext in a matrix and playing around with column positions. 


4.2.2.2 Row Transposition Cipher 

Row transposition cipher is a more complex transposition cipher. It writes the letters of 
a message in rows over a specified number of columns. Then the columns are reordered 
column by column according to some key before reading off. For example, given a key 
“3,1,4,2,7,6,5” (meaning seven columns), the plaintext “row transposition cipher test” is 
rewritten into 


Key: 3 1 4 2 7 6 5 

Plaintext: r o w t r a oon 
Ss po si t i 
o n ce i p hie 


ra 
o 
fo) 
n 
o 
tal 

| 
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Note that “x,y” are attached to fill the columns. The ciphertext is column by column accord- 
ing to the sequence of the key, i-e. 


Ciphertext: OPNT TSIS RSOR WOCE NIEY ATHX RIPT*. 


To decipher the ciphertext, simply rebuild the columns and the plaintext will be the row 
rewriting of it. 


4.2.2.3. Product Cipher 

Ciphers based solely on either substitutions or transpositions are not secure. They can 
be attacked because they do not sufficiently obscure the underlying language structure. 
A solution to enhance the security is to use several ciphers in succession. For instance, two 
substitutions make a more complex substitution. Two transpositions make a more complex 
transposition. Furthermore, a substitution followed by a transposition makes a new and 
much harder cipher. Product cipher was a concept brought by Claude Shannon, who pre- 
sented his idea in “Communication Theory of Secrecy Systems” [20]. Product cipher uses a 
combination of a substitution followed by a transposition. It is a much more secure cipher 
compared with the other classical ciphers discussed earlier. Product cipher forms the bridge 
to modern ciphers. It has become the basic building blocks for several encryption standards 
such as the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES). 


4.2.3 More Advanced Classical Ciphers 


The next major advance in ciphers deployed mechanical devices that enabled for complex 
varying substitutions. Before modern ciphers, rotor machines were most common complex 
ciphers in use. 


4.2.3.1 Rotor Machines 

A rotor machine consists of a set of independently rotating cylinders through which elec- 
trical pulses can flow. Each cylinder has 26 input pins and 26 output pins, with internal 
wiring that connects each input pin to a unique output pin. If we associate each input and 
output pin with a letter of the alphabet, then a single cylinder defines a monoalphabetic 
substitution. After each input key is depressed, the cylinder rotates one position, so that 
the internal connections are shifted accordingly. The power of the rotor machine is in the 
use of multiple cylinders, in which the output pins of one cylinder are connected to the 
input pins of the next, and with the cylinders rotating like an “odometer,” leading to a very 
large number of substitution alphabets being used. Rotor machines were extensively used 
in World War II, and the history of their use and analysis is one of the great stories from 
World War II. 


4.2.3.2 Steganography 

Steganography is an alternative to encryption that hides the very existence of a message 
by some means. There are a large range of techniques for doing this. Steganography has a 
number of drawbacks when compared with encryption. It requires a lot of overhead to hide 
a relatively few bits of information. Also, once the system is discovered, it becomes virtually 
worthless, although a message can be first encrypted and then hidden using steganography. 
An example of steganography is shown in Figure 4.4, can you find the original message? 

(Hint: check the last word of each line). 
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Figure 4.4 An example of 


Wireless communications have been much improved in our steganography. 


daily life. Most households are now equipped with Wi-Fi 
routers. The default password implemented in the router 

is usually a random value. Therefore, it is hard to be hacked 
without physical access. Many users would prefer to update 
with an easy to remember password. 


4.3 Stream Cipher 


A stream cipher is a symmetric key cipher. Each plaintext digit (in bit or byte) is encrypted 
one at a time with a corresponding digit from the keystream. As shown in Figure 4.5, the 
encryption is generally XOR function, where a digit of the plaintext is XORed with the 
corresponding digit of the keystream. The keystream is usually a pseudo-random number 
generated by an algorithm with a (pseudo) random seed value. Because a stream cipher is a 
symmetric key cipher, the seed value is synchronized between a transmitter and a receiver 
to serve as the cryptographic key. The keystream is generated at both side instead of being 
transmitted. 


4.3.1 Rivest Cipher 4 


Rivest Cipher 4 (RC4) is one of the typical and widely used stream ciphers. It was designed 
by Ron Rivest of RSA Security in 1987. Because of its speed and simplicity, RC4 has been 
applied in many applications for years, e.g. Wired Equivalent Privacy (WEP) and Wire- 
less Protected Access (WPA) in wireless local area networks, and Transport Layer Security 
(TLS) for Internet security. There are two elements in the RC4 algorithm: Key Scheduling 
Algorithm (KSA) and Pseudo-Random Generation Algorithm (PRGA). 

KSA is the key scheduling algorithm. First, it has the key initialization process that 
takes input the I-byte secret key K and generates a random 256-value state array S. 
Detailed process of KSA is illustrated in Algorithm 4.1. The array S is initialized from 0 
to 255 and it is shuffled based on the input key. PRGA is the pseudo-random generation 
algorithm that runs after KSA. As shown in Figure 4.6, two states in the array S are first 
chosen, for example, S[i] and S[j]. Swap S[i] and S[j]. Then, a new index is calculated as 
(S[i] + S[j]) mod 256. Lastly, the element in array S from this index is selected as the 
keystream byte k. PRGA is summarized in Algorithm 4.2. 


Key Key 


'{ Key stream ]! 
:{|__generator |! 


Encryption 


Key stream 
generator 


Plaintext ——+ Plaintext 


Decryption 


Figure 4.5 Structure of stream cipher. 
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Algorithm 4.1 Key Scheduling Algorithm (KSA) for RC4 
Input: K, 1; 
Output: state array S; 
for i = 0 to 255 do 
Sli] - i; 
end for 


J 0; 

for i = 0 to 255 do 
j <— @G+S[i] + K[i mod []) mod 256; 
SWAP(S[i], SU); 

end for 


Figure 4.6 The overview of the 
keystream generation. 
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Algorithm 4.2 Pseudo-Random Generation Algorithm (PRGA) for RC4 


Input: K, 1, S; 
Output: k; 
i=0,j =0; 


while Generating output do 
i< (i+ 1) mod 256; 
j <— G+ S[i]) mod 256; 
SWAP(S[i], SUD); 
k — S[(S[i] + S[j]) mod 256]; 
end while 


The keystream k generated from PRGA algorithm is XORed with the plaintext byte to 
produce the ciphertext byte in the sender side. In the receiver side, the same keystream k 
generated from the same PRGA algorithm is XORed with the received ciphertext byte to get 
the original plaintext. 


4.4 Modern Block Ciphers 


4.4.1 Overview of Modern Block Ciphers 


Modern block ciphers are some of the most widely used types of cryptographic algorithms. 
They provide encryption of quantities of information (secrecy), and/or a cryptographic 
checksum to ensure that the contents have not been altered (authentication). In this 


63 


64 


4 Cryptographic Techniques 


section, we present the basics of modern block cipher design and DES. AES and different 
modes of block cipher operations are introduced in the next chapter. Different from 
stream ciphers, block ciphers operate on large blocks of digits with a fixed transformation. 
However, this distinction is not always clear-cut: in some modes of operation (which will 
be discussed later in the next chapter), a block cipher primitive is used in such a way that it 
acts effectively as a stream cipher. Compared with stream ciphers, block ciphers typically 
execute at a slower speed and have higher hardware complexity. However, stream ciphers 
can be susceptible to serious security problems if used incorrectly. In particular, the same 
starting state (seed) must never be used twice. Therefore, block ciphers have a broader 
range of applications. A block cipher operates on a plaintext block of n bits to produce 
a ciphertext block of n bits. An arbitrary reversible substitution cipher for a large block 
size is not practical, however, from an implementation and performance point of view. In 
general, for an n-bit substitution block cipher, the length of the key is n x 2”. For example, 
a 64-bit block, which is a desirable length to thwart statistical attacks, has a key length of 
64 x 2° = 2”? ~ 10?! bits. Several symmetric block encryption algorithms in current use 
are based on a structure referred to as a Feistel block cipher. 


4.4.2 Feistel Block Cipher 


4.4.2.1 Ideal Block Cipher 
Before heading into the Feistel block cipher system, let us discuss some of the basics for 
block ciphers. First, for block size n = 2, there are 2” = 4 possible different plaintext blocks. 
In order to make the encryption reversible (i.e. for decryption to be possible), each plaintext 
block must produce a unique ciphertext block. Also, a block cipher operates on a plaintext 
block of n bits to produce a ciphertext block of n bits. The mapping shown in Figure 4.7a is 
reversible. The mapping shown in Figure 4.7b is irreversible since both plaintexts “O01” and 
“10” are mapped into “01.” Given “01” as the ciphertext, itis not possible to recover a unique 
plaintext. A block cipher must be a reversible mapping. For an n-bit general substitution 
ideal block cipher, it allows for the maximum number of possible encryption mappings 
from a plaintext block to a ciphertext block. For example, a 4-bit input produces one of 16 
possible input states, which is mapped by the substitution cipher into a unique one of 16 
possible output states, each of which is represented by 4 bits ciphertext. The encryption and 
decryption mappings can be defined by two tables. Figure 4.8 shows a set of encryption and 
decryption tables of a 4-bit substitution block cipher. 

In Claude Shannon’s 1949 paper, he proposed the key ideas that lead to the development 
of modern block ciphers [20]. It was the technique of layering groups of substitution boxes 
(S-boxes) separated by a larger permutation box (P-box) to form the S—P (substitution and 


Figure 4.7. Examples of reversible and 
irreversible mappings for n = 2. 

(a) Reversible mapping. (b) Irreversible 
mapping. 


Plaintext Ciphertext Plaintext Ciphertext 
00 10 00 11 
01 11 01 01 
10 01 10 01 
11 00 11 10 


(a) (b) 
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Plaintext | Ciphertext Ciphertext | Plaintext 
0000 1101 0000 1111 
0001 0100 0001 0100 
0010 1110 0010 0011 
0011 0010 0011 O111 
0100 0001 0100 0001 
0101 1111 0101 1101 
0110 1011 0110 1011 
O111 0011 0111 1110 
1000 1000 1000 1000 
1001 1010 1001 1100 
1010 1100 1010 1001 
1011 0110 1011 0110 
1100 1001 1100 1010 
1101 0101 1101 0000 
1110 0111 1110 0010 
1111 0000 1111 0101 


(a) (b) 
Figure 4.8 Encryption and decryption tables for a 4-bit substitution cipher. 


permutation) network, a complex form of a product cipher. He also introduced the ideas of 
confusion and diffusion of messages and keys, notionally provided by S-boxes and P-boxes. 
Every block cipher involves a transformation of a block of plaintext into a block of cipher- 
text, where the transformation depends on the key. The mechanism of diffusion seeks to 
make the statistical relationship between the plaintext and ciphertext as complex as possi- 
ble in order to thwart attempts to deduce the key. Confusion seeks to make the relationship 
between the statistics of the ciphertext and the value of the encryption key as complex as 
possible, again to thwart attempts to discover the key. Due to the success of diffusion and 
confusion in capturing the essence of the desired attributes of a block cipher, they have 
become the cornerstone of modern block cipher design. 


4.4.2.2 Feistel Cipher Structure 

Feistel cipher structure was devised by Horst Feistel. One of Feistel’s main contributions 
was the invention ofa suitable structure, which adapted Shannon’s S-P network in an easily 
inverted structure. Figure 4.9 illustrates the classical Feistel cipher structure. As shown in 
Figure 4.9a, the input data in the encryption process is split in two halves (i.e. Ly and Ry) 
and processed through a number of rounds. In each round, a substitution is performed on 
the left half (i.e. L;_, in the ith round) using the output of the round function f(-). Round 
function f(-) performs a series of substitution and permutation on right half (ie. R,_, in the 
ith round) and a subkey (i.e. k; in the ith round). The final stage of a round is a permutation 
function, which swaps the two halves. The output of the left half is input into the right side 
of the next round, where the output of the right half is input into to left side of the next 
round, such that 


L,=R_4, 
R, = Lj, ®f(R_1,k)). 
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(a) (b) 


Figure 4.9 Encryption and decryption structures of Feistel cipher. 


The output of the final round gets swapped such that R,,||L,, as the ciphertext. 

The decryption process with a Feistel cipher is essentially the same as the encryption 
process. As illustrated in Figure 4.9b, the input to the ith decryption round is L’_,||Ri_,, or 
equivalently, R,,_;,,||L,_i,;- The subkey k, is applied in reverse order, that is, k,, is used in 
the first round, k,,_,is used in the second round, and so on until k, is used in the last round. 
The decryption process can be presented as follows: 


1h = Ry 
Ry =L,, 
L; = R r= Ri 


Ri =L_, @fR_) ky) = Lyn 


L 

L! = Rp, 

R! =Lp. 

A final swap recovers the original plaintext R’,||L/, = L,||R), demonstrating the validity 
of the Feistel decryption process. Note that f does not have to be a reversible function. 
As you may see, the Feistel cipher has a very nice feature that only one algorithm is needed 


for both encryption and decryption. Essentially the same hardware or software is used for 
both encryption and decryption, with just a slight change in how the keys are used. The 
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Table 4.4 Parameters and design features of Feistel cipher structure. 


Parameter and features Description 

Block size Increasing size improves security, but slows cipher 

Key size Increasing size improves security, makes exhaustive key 
searching harder, but may slow cipher 

Number of rounds Increasing number improves security, but slows cipher 

Subkey generation Greater complexity can make analysis harder, but slows cipher 

Round function Greater complexity can make analysis harder, but slows cipher 

Software implementation More recent concern for practical use 

Ease of analysis For easier validation and testing of strength 


exact realization of a Feistel cipher depends on the choice of block size, key size, number 
of rounds, subkey generation algorithm, round function, etc. Details of the parameters and 
design features are listed in Table 4.4. 


4.4.3 Block Cipher Design 


The cryptographic strength of a Feistel cipher derives from three aspects of the design: the 
number of rounds, the function f(-), and the key schedule algorithm. The greater the num- 
ber of rounds, the more difficult it is to perform cryptanalysis, even for a relatively weak f(-). 
In general, the criterion should be that the number of rounds is chosen so that known crypt- 
analytic attacks require greater effort than a simple brute-force key search attack. This crite- 
rion makes it easy to judge the strength ofan algorithm and to compare different algorithms. 
The function f(-) provides the element of confusion in a Feistel cipher, want it to be diffi- 
cult to “unscramble” the substitution performed by f(-). One obvious criterion is that f(-) be 
nonlinear. The more nonlinear f(-), the more difficult any type of cryptanalysis will be. It is 
expected to have good avalanche properties, or even the strict avalanche criterion. Another 
criterion is the bit independence criterion. One of the most intense areas of research in 
the field of symmetric block ciphers is that of S-box design. Would like any change to the 
input vector to an S-box to result in random-looking changes to the output. The relation- 
ship should be nonlinear and difficult to approximate with linear functions. A final area of 
block cipher design, and one that has received less attention than S-box design, is the key 
schedule algorithm. With any Feistel block cipher, the key schedule is used to generate a 
subkey for each round. Would like to select subkeys to maximize the difficulty of deducing 
individual subkeys and the difficulty of working back to the main key. The key schedule 
should guarantee key/ciphertext strict avalanche criterion and bit independence criterion. 


4.5 Data Encryption Standards (DES) 


4.5.1 Overview of DES 


In 1973, the National Bureau of Standards (NBS) issued a request for proposals for a national 
cipher standard. IBM submitted the modified LUCIFER, which was originally designed for 
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IBM mainframe computers. It was by far the best algorithm proposed and was adopted in 
1977 by the National Bureau of Standards as Federal Information Processing Standard 46 
(FIPS PUB 46), also known as the DES. Despite its popularity as a symmetric key block 
cipher, the DES has been the subject of much controversy its security. Before its adoption 
as a Standard, the proposed DES was subjected to intense and continuing criticism over the 
size ofits key and the classified design criteria. Subsequent analysis showed that despite this 
controversy, DES is well designed. DES is theoretically broken using Differential or Linear 
Cryptanalysis but in practice is unlikely to be a problem yet. Also rapid advances in com- 
puting speed though have rendered the 56 bit key susceptible to exhaustive key search. DES 
has flourished and is widely used, especially in financial applications. It is still standardized 
for legacy systems, with either AES or triple DES for new applications. 

The overall scheme for DES encryption is illustrated in Figure 4.10. It takes input of 64-bit 
data and a 56-bit key. The basic process for enciphering a 64-bit data block consists of an Ini- 
tial Permutation (IP) of the 64 bit plaintext, and a Permuted Choice 1 (PC1) of the key, which 
selects 56 bits out of the 64-bit input in two 28-bit halves; 16 rounds of the same function 
that involves both permutation and substitution functions, with a generated 48-bit subkey 
in each of the 16 rounds, and a final permutation (i.e. the inverse IP) before the left and 
right swap of the 32-bits after the round 16. As you may have observed, with the exception 
of the initial and final permutations, DES has the exact structure of a Feistel cipher. 


4.5.2 Initial Permutation (IP) 


The initial permutation (IP) is the first step of the data operation. It reorders the input data 
bits B to output data bits X, i.e. X = IP(B). The IP is defined in Table 4.5. The input table 


Initial Permutation Permuted choice 1 


64 bits 56 bits 

k, 48 bits 56 bits 
Round 1 | Permuted choice 2 Left circular shift 
64 bits 56 bits 


ky 48 bit 56 bits 
eae tle Permuted choice 2 : Left circular shift 


¥ ; t 
ki6 48 bits 
Round 16 7 Permuted choice 2 soni Left circular shift 
Vv 
32-bit swap 
¥ 64 bits 


Inverse initial 
permutation 


Yv 


Figure 4.10 DES encryption overview. 


Table 4.5 Initial permutation (/P). 
58 | 50 | 42 | 34 |} 26 | 18 | 10 | 2 
60 | 52 | 44 | 36 |} 28 | 20 | 12 | 4 
62 | 54 | 46 | 38 | 30 | 22 | 14 | 6 
64 | 56 | 48 | 40 | 32 | 24 | 16 | 8 
57 | 49 | 41 | 33 | 25 | 17 | 9 1 
59 | 51 | 43 | 35 | 27 | 19 | 11 | 3 
61 | 53 | 45 | 37 | 29 | 21 | 13 | 5 
63 | 55 | 47 | 39 | 31 | 23 | 15 | 7 
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consists of 64 bits numbered left to right from 1 to 64. The 64 entries in the permutation table 
contain a permutation of the numbers from 1 to 64. Each entry in the permutation table 
indicates the position of a numbered input in the output, which also consists of 64 bits. For 
example, given an entry (E71469475E5A6B5E) in hexadecimal (HEX), we first fill in the 


64-bit table (from left to right, e.g. B, B,B,B, = 1110). 


Bsg 
Boo 
Bea 


B, 


B, 


B34 
B36 
B3g 


B; 


B56 
Bog 
By3o 


Be 


Big 
Boy 
By 


B, Bg 


11100111 
00011010 
01101001 
01000111 
01011110 
01011010 
01101011 
01011110 


11111101 
10110010 
10011001 
01001101 
00000001 
01000101 
11110110 
11111011 


After the permutation, the output is (FDB2994D0145F6FB) in HEX. 
During the decryption process, an inverse permutation table IP~! is applied, as shown 
in Table 4.6. 


4.5.3 DES Round Function 


As shown in Figure 4.11, each DES round follows the classic structure for a Feistel cipher, 
where L; = R,_, and R; = L;_, ® F(R;_;, K;). The round function f(-) of DES takes in 32-bit 
right half (R) and a 48-bit subkey. The round function first processes the 32-bit R through 
Expansion Permutation E(-). 
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Table 4.6 


Inverse initial permutation (/P-*). 


Round i 
32-bits 


Round function 


Ri 
Round key k; 
32-bits 


Permutation 
(P) 


48-bits 


Substitution/ 
choice (S-box 


32-bits 


] 32-bits 


Expansion 
[eee 2 
i 


48-bits 


Figure 4.11 DES round structure. 


As shown in Table 4.7, the input to E(-) is written in a 8 x 4 table. Each entry in the left 
most column expands to its left column by the entry to its left in the original matrix. Note 
that the first entry expands with the last entry (i.e. 32 is expanded to the left of 1). Each 


entry in the right most column expands to it: 


s right column by the entry to its right in the 


original matrix. Note that the last entry expands with the first entry (i.e. 1 is expanded to 
the right of 32). The output of E is 48 bits (8 x 6). 

After the expansion, the 48-bit subkey is added to the 48-bit output using XOR. The results 
are split into eight 6-bit sequences, and get passed through 8 substitution boxes (S-boxes) 
respectively. The output of each S-box is 4-bit. The overall output of S-boxes is 32-bit. 


Table 4.7. Expansion 
permutation (E). 


32 | 1 2 3 4 5 
4 =) 6 W 8 9 
9 OM i es) 13 
12 | 13 | 14 | 15 | 16 | 17 
16 | 17 | 18 | 19 | 20 | 21 
20 |R2I e225 2358245) 25 
24 |P25N GN 27582385) 29 
Pim) 2) || sf) || Sil || 32 |mal 
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4.5.3.1 DES S-Boxes 

DES has eight S-boxes, as defined in Table 4.8. The S-boxes are designed to provide 
non-linearity, resistance to differential cryptanalysis and good confusion. Each of 
the eight S-boxes accepts 6bits as input and produces 4bits as output. For example, 
S,(011000) = 0101. The input of an S-box is 6-bit, e.g. byb,b,b,b,b;. The first and last bits 
of the input form a 2-bit binary number (i.e. b)b,), which is used to select one of four 
substitution defined by the four rows in the table (00, 01, 10, 11). The four bits in the 


Table 4.8 DES S-boxes. 


14 4 13, ~ 1 2 15 11 8 3 10 6 12 9 0 7 
Ss, 15 7. 4 144 2 TB ll 10 6 12 11 9 5 3 
1 14 8 13. 6 2 11 61506 12 «9 7 3 10 55 0 
15 12 8 2 4 9 1 7 5 11 3 144 10 O 6 13 
TS el 8 14 6 11 3 4 9 7 2 13. 12 = «#20 5 10 
S, 130 4 7 15 8 144 12 O 1 10 6 9 ll 65 
0 14 11 10 4 132 5 8 12 6 3 2 15 
13. 8 10 1 3 15 4 2 11 6 7 12 5 144 9 
10 O 14 6 15:. - 1 13: > 12s 77 11 4 2 8 
S, | 13. 7 9 3 4 6 10 2 8 5 144 #12 #11 #15 ~ «1 
13. 6 4 9 8 15 3 0 11 #1 2 12 2655 10 14 7 
1 10 13 4#O 6 9 8 7 4 15 14 3 1l5 12 
7 13 (14 <3 0 6 9 10 1 2 8 5 11 12 4 15 
S, | 13 8 115 6 15 0 3 4 7 2 12) #1 10 +14 
10 6 9 0 12: Ve 17 13-y Se od 3 144 °=¢55 2 8 
3 15 0 6 10 #1 13. 8 9 4 5 11 612 ~=67 2 14 
2 12 4 1 10 11 6 8 5 3 15 13 O 144 9 
S, | 14 11 2 12. 4 7 13° = 5 0 15 10 3 9 8 6 
4 2 1 11 #10 #130¢67 8 15 9 12 0255 6 3 0 14 
11 8 12. 7 1 144 2 13 15 0 10 4 a) 3 
12 #1 10 #15 9 2 6 8 0 132° 73 4 14 7 5 11 
S,| 10 15 4 2 7 12. 9 5 6 1 13 14 +#O 11 3 8 
14 #15 ~=655 2 8 12 3 7 0 4 10 1 13. 11 6 
3 2 12. 9 5 15 10 11 14 #1 7 6 0 8 13 
11 2 144 15 O 8 13, 3 12. 9 T 5 10 6 1 
S, | 13 11 7 4 9 1 10 14 3 5 12 2 15 8 6 
1 1! AB | Age 3 7 144 #10 15 6 8 0 5 9 2 
6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12 
13°~ 22. 8 4 6 15 ll 10 9 3 144° °55 0 12. «7 
Sp |) 4 15 13 8 10 3 7 4 12 065 6 11 O 144 9 2 
ll 4 1 12 «#14 0 6 10 #13 = #150« «3 5 8 
2 1 LA 27 4 10 8 130615 #12 9 0 3 ES) 6 11 
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Figure 4.12 |llustration of S-box process. 


middle (i.e. b,b,b,b,) determine one of the 16 columns (from 0000 to 1111). Note that 
both the rows and the columns are indexed starting from 0. The decimal value in the cell 
selected by the row and column is then converted to its 4-bit representation to produce the 
output. The process of S,(011000) is shown in Figure 4.12. The row is 00 (the first row) and 
the column is 0110 (the 13th column). The value is 5 in decimal. Thus the output is 0101 
by converting 5 into binary format. 


Question: Given an input of S-boxes as a sequence of 48 bits, or equivalently in hex- 
adecimal: 


S = (27,12, 03, 3d, 21, 37,15, 24). 


Can you find the corresponding output? (Solution: (2, 7, 7,2, B,7,5,4) in hexadecimal). 


4.5.3.2 DES Permutation Function 

The output of S-boxes is finally processed by permutation function P. The detailed permu- 
tation table is shown in Table 4.9. Note that the S-boxes provide the “confusion” of data 
and key values, while the permutation P(-) spreads this as widely as possible, so each S-box 
output affects as many S-box inputs in the next round as possible to increase “diffusion.” 


4.5.4 DES Key Schedule 


In each of the 16 rounds, a subkey is also part of the input to round function f(-). The subkeys 
are generated from the 56-bit key for each data encryption round. In practice, the input 
of the symmetric key K is 64-bit. The extra 8 bits can be parity bits or simply arbitrary. The 
overall subkey generation process is shown in Figure 4.13. Note that the input of the key 
schedule is a 64-bit symmetric key K. 

The first operation of subkey generation is Permutation Choice 1 (PC1). Given an input 
key as shown in Table 4.10, the output of PC1 is shown in Table 4.11. The output of PC1 


Table 4.9 Permutation function (P). 


1 15 | 23 | 26 5 18 | 31 |} 10 
2 8 24 | 14 | 32 | 27 3 9 
19 | 13 | 30 6 22, | 11 4 | 25 


Figure 4.13 The key schedule of DES. 
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contraction (PC2) 
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Table 4.10 Indexes of the input key K. 
1 2 3 4 5 6 7 8 
9 10 | 11 | 12 15 | 16 
17 | 18 | 19 | 20 23 | 24 
25 | 26 | 27 | 28 31 | 32 
33 | 34 | 35 | 36 39 | 40 
41 | 42 | 43 | 44 47 | 48 
49 | 50 | 51 | 52 55 | 56 
57 | 58 | 59 | 60 63 | 64 
Table 4.11 Permutation choice 1 (PC1). 
57 49 41 33 25 17 9 
1 58 50 42 34 26 18 
10 2 59 51 43 35 27 
19 «11 3 60 52 44 36 
63 55 47 39 31 23 15 
7 62 54 46 38 30 22 
14 6 61 53 45 37 29 
21 13 5 28 20 12 4 
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Table 4.12 Schedule of left shifts. 


Round # 1 2 3 4 5 6 7 8 9 10 11 #12 #13 #14 «215 ~ «+16 
Bitsrotaed 1 1 2 2 2 2 2 2 #1 2, 2 2 2, 2: 2 1 


is 56-bit, where (8, 16, 24, 32, 40, 48, 56, 64) are discarded during the process because those 
8 bits are not used in the 56-bit key input to the DES key schedule. The output of PC1 is 
treated as two 28-bit quantities (i.e. the upper 4 rows and the lower 4 rows). After each 
round, the two halves are separately subjected to a circular left shift of 1 or 2 bits according 
to the schedule listed in Table 4.12. 

The shifted values are then input into Permutation Choice 2 (PC2). Detailed permutation 
of PC2 is illustrated in Table 4.13. The output of PC2 is the 48-bit subkey. Note that the values 
in PC2 are re-ordered from left shifts, starting from 1 to 56, with the original bits in 9, 18, 
22, 25, 35, 38, 43, 54 being eliminated, so that the output only has 48 bits. 


DES decryption: as a feature of Feistel block cipher, DES decryption uses the same 
algorithm as encryption except that the subkeys derived are used in reverse order from 
Ky, to ky. 


4.5.5 DES Security 
The analysis of DES security can be done in several aspects: 


e Avalanche effect: It is a desirable property for an encryption algorithm. A small change 
in either the plaintext or the key should produce a significant change in the ciphertext. 
Achange in one bit of the plaintext or one bit of the key should produce a change in many 
bits of the ciphertext. It is proved that DES exhibits a strong avalanche effect. 

e Keysize: DES has a key size of 56 bits. There are 2° ~ 7.2 x 10" keys. A brute-force attack 
appeared impractical (in a reasonable amount of time) to DES when proposed. However, 
DES could be broken within a day as shown in 1999 with the capability of an average 
computer and some assumptions. The time is much shortened nowadays. Unless known 
plaintext is provided, the analyst must be able to recognize plaintext. 

e Analytic attacks: Cryptanalysis is possible by exploiting the characteristics of DES. The 
focus has been on the eight S-boxes that are used in each iteration. These techniques uti- 
lize some deep structure of the cipher by gathering information about encryptions so that 
eventually you can recover some/all of the sub-key bits, and then exhaustively search for 


Table 4.13 Permutation choice 2 (PC2). 


14 | 17 | 11 | 24 1 5 3 28 


15 6 21 | 10 | 23 | 19 | 12 | 4 


41 | 52 | 31 | 37 | 47 | 55 | 30 | 40 
51 | 45 | 33 | 48 | 44 | 49 | 39 | 56 
34 | 53 | 46 | 42 | 50 | 36 | 29 | 32 
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the rest if necessary. Generally these are statistical attacks that depend on the amount of 
information gathered for their likelihood of success. Attacks of this form include differ- 
ential cryptanalysis, linear cryptanalysis, and related key attacks. 

e Timing attacks: A timing attack is one in which information about the key or the plaintext 
is obtained by observing how long it takes a given implementation to perform decryptions 
on various ciphertexts. A timing attack exploits the fact that an encryption or decryption 
algorithm often takes slightly different amounts of time on different inputs. DES appears 
to be fairly resistant to a successful timing attack. 


Despite its popularity in the past, DES is generally considered insecure in today’s increas- 
ing computing power. Alternatives must be found to replace DES. The most important of 
the alternatives are AES and triple DES. Triple DES is to run DES three times (E-D-E as 
encryption, and D—E-D as decryption). 


4.5.6 Multiple Encryption and DES 


As discussed before, DES is vulnerable to a brute-force attack. Therefore, there has been 
considerable interest in finding an alternative. One approach is to design a completely new 
algorithm, of which AES is a prime example. Another alternative, which would preserve 
the existing investment in software and equipment, is to use multiple encryption with DES 
and multiple keys. 

Double DES (2-DES): The simplest form of multiple encryption has two encryption stages 
and two keys, i.e. 2-DES or double DES. Two keys (e.g. K, and K,) are applied to two DES 
encryptions. The encryption and decryption processes are shown in Figure 4.14. A cipher- 
text is produced as: 


C= Ey (Ex (P)), (4.5) 
and the decryption is: 
P = Dx (Dx, (C)). (4.6) 


With two keys K, and K,, 2-DES increases the effective key size to 112 bits. However, 
“meet-in-the-middle” attack makes 2-DES vulnerable. The “meet-in-the-middle” attack 
was first described by Whitfield Diffie and Martin Hellman in 1977 [21]. It is a known 
plaintext attack (i.e. with a pair of known plaintext and ciphertext (P,C), attempting to 
find by trial-and-error a value X in the “middle” of the double-DES encryption of this pair, 
s.t, X = Ex, (P) = Dx (C). Chances of this are much better at O(2>°) than exhaustive search 
at O(2!!7). Therefore, 2-DES is not a secure alternative to DES. 

Triple-DES (3-DES) with two keys: 3-DES is another alternative to DES. 3-DES with 
two keys is a popular implementation. With two keys (e.g. K, and K,), the encryption 


Ky A) Kp Kp 
Plaintext » Ciphertext Ciphertext {0 | {0 | >Plaintext 
Encryption Decryption 


Figure 4.14 Double-DES (2-DES). 
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Figure 4.15 Triple-DES (3-DES). 


and decryption processes are shown in Figure 4.15. Mathematically, the encryption is as 
follows: 


C= Ex (Dx, (Ex, (P))), (4.7) 
and the decryption is as follows: 
P = Dg (Ex, (Dx (©). (4.8) 


The uses of encryption and decryption stages are equivalent, but the chosen structure allows 
for compatibility with single-DES implementations. If K, = K,, then Ex (Dx, (Ex (P))) = 
Ex (P). Currently, there are no practical cryptanalytic attacks on 3-DES. The cost of a 
brute-force key search on 3-DES is on the order of 21? = 5 x 10*°. It estimates that the 
cost of differential cryptanalysis suffers an exponential growth, compared with single DES, 
exceeding O(10°). However, 3-DES suffers from being three times slower to run. 

3-DES with three keys: Although there are no practical attacks on two-key triple-DES, 
anyone using two-key triple-DES may feel some concern of possible attacks on 2-key 
triple-DES. Therefore, triple-DES with three keys (168 bits) is being used in some applica- 
tions, including PGP and S/MIME on the Internet, for greater security. The encryption of 
3-key triple-DES is as follows: 


C = Ex, (Dx, (Ex, ))), (4.9) 
and the decryption of 3-key triple-DES is as follows: 

P = Dx (Ex (Dg. (©)). (4.10) 
4.6 Summary 


In this chapter, several symmetric key cryptographic techniques were presented. A few clas- 
sical cryptographic algorithms with substitution and transposition techniques were illus- 
trated for the understanding of basics of symmetric key algorithms. Modern stream cipher 
and block cipher were also presented. The design of modern block ciphers based on Feistel 
cipher structure was also demonstrated. More cryptographic techniques using block ciphers 
and public key algorithms will be given in the next chapter. 
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This chapter continues to introduce more on modern block ciphers, including Advanced 
Encryption Standard, block cipher mode of operations, public key infrastructure, RSA 
algorithm, and Diffie-Hellman (D-H) key exchange protocol. 


5.1 Advanced Encryption Standards 


The Advanced Encryption Standard (AES) was standardized by National Institute of 
Standards and Technology (NIST) in 2001 [22]. While 3-DES is considered secure and well 
understood, it is too slow in software implementation. NIST solicited a new symmetric 
block cipher AES to replace DES for a wide range of applications. The Rijndael proposal 
was finally selected as the AES standard in November 2001 [23]. The two researchers who 
developed and submitted Rijndael for the AES are both cryptographers from Belgium, Joan 
Daemen and Vincent Rijmen. The chosen AES cipher and other candidates for the latest 
generation of block ciphers have a significant increase in the sizes of block and keys. 


5.1.1 The AES Cipher: Rijndael 


The Rijndael proposal for AES defined a cipher in which the block size is 128 bits and the 
key length can be independently set to 128, 192, or 256 bits. Depending on different key 
lengths, AES has three parameter configurations, as depicted in Table 5.1. Although the 
AES standard uses three key size alternatives, it limits the block length to 128 bits for all 
configurations. AES is an iterative cipher (instead of a Feistel cipher) that operates on the 
entire data block (i.e. 4 x 4 bytes) in every round. Note that Feistel cipher operates on halves 
of data block at a time. AES is designed to have characteristics as follows: resistance against 
all known attacks; speed and code compactness on a wide range of platforms; and design 
simplicity. 


5.1.2 AES Data Structure 


The overall structure of AES with a key size of 128 bits is illustrated in Figure 5.1. The 
input to the AES encryption and decryption algorithms is a single 128-bit block as a square 
matrix of bytes, depicted in the Federal Information Processing Standards Publication 


Security in Wireless Communication Networks, First Edition. Yi Qian, Feng Ye, and Hsiao-Hwa Chen. 
© 2022 John Wiley & Sons Ltd. Published 2022 by John Wiley & Sons Ltd. 
Companion website: www.wiley.com/go/qian/sec51 
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Table 5.1 Parameters for different AES configurations. 


Parameter AES-128 AES-192 AES-256 

Key size 128 bits 192 bits 256 bits 

Plaintext block size 128 bits 128 bits 128 bits 

Number of rounds 10 12 14 

Round key size 128 bits 128 bits 128 bits 

Expanded key size 176 bytes 208 bytes 240 bytes 

Encryption Plaintext = | ~Key =| sd Plaintext 


| Add round key Add round key 
| Substitute bytes | | Inverse sub bytes | Round 10} 
| | | | 
|| Round 1 | 
| | 
| Add round key _|<+ {Add round key _ | Round 9 |; 
| | | Inverse sub bytes 
Substitute bytes | | 
| | | | 
'| Round 9 | 
| Add round key Add round key _ | Round 1 | 
Substitute bytes | | invetse/SubIbyIES 
| Round 10 | | 
{ | 


| Ciphertext Decryption 


Figure 5.1 The overall structure of AES. 


(FIPS PUB) 197. The other two AES configurations have the similar structure with more 
rounds. 

As shown in Figure 5.2a, the input block is copied into the state array, which is modified 
at each stage of encryption or decryption. After the final stage, the state is copied to an 
output. As shown in Figure 5.2b, the input key is expanded into 44/52/60 (depending on 
the original key size) words with 32-bit in each word, and four words used in each round. 
The data computation consists of an add round key step, followed by 9/11/13 (depending 
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in | ig | ig | ty S030) | Soil | 50,2] $033 % | 9 | 98 | 22 
h [ts | | 43 ' So || Sa || Sn || ia ' O71 | 9 | 9% | 213 
ly i, i i Ss s s Ss 05 0, i) O71, 
2: 6 10 14 2,0 mil OP 23 2 6 10 14 
Lf 7 | 4 | 4s 53.0 | 53,1 | 53,2 | 533 03 | O7 | Pn | 1s 


(a) 


ks kg lan ay > Wo Wy Wo Bere W42 W43 


(b) 


Figure 5.2 AES data structure. (a) Input, state array, and output block. (b) Input key and expanded 
key. 


on the original key size) rounds with all four steps in each round, and a final round with 
three steps. The four steps before the last round are: substitute bytes, shift rows, mix columns, 
and add round key. The three steps in the last round are: substitute bytes, shift rows, and add 
round key. All the steps are easily reversed, and can be efficiently implemented using XOR’s 
and table lookups for both AES encryption and AES decryption. 


5.1.3 Details in Each Round 


The detailed illustration will be given with AES-128, which has a key size of 128 bits. The 
other two AES implementations are similar. In AES-128, there are ten rounds in both 
encryption and decryption algorithm. For the first nine rounds, one permutation and three 
substitutions are applied as follows: 


e Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block. 

e Shift rows: A simple permutation. 

e Mix columns: A substitution that makes use of arithmetic over GF(2°), with the irre- 
ducible polynomial m(x) = x8 +x4 +27 +x+1. 

e Add round key: A simple bitwise XOR of the current block with a portion of the expanded 
key. 


Only the add round key stage makes use of the round key. For this reason, the cipher 
begins and ends with an add round key stage. Any other stage, applied at the beginning or 
end, is reversible without knowledge of the key and so would add no security. The tenth 
round (the final round) of both encryption and decryption consists of only three stages 
(i.e. substitute bytes, shift rows, and add round key). 


5.1.3.1 Substitute Bytes 
The substitute bytes stage uses a 16 x 16 S-box to perform a byte-by-byte substitution of the 
block. This S-box is a permutation of all 256 8-bit values, constructed using a transformation 
that treats the values as polynomials in GF(2°). Decryption requires the inverse of the table. 
The two tables are fixed, as given in Tables 5.2 and 5.3. 

Both the S-box and the inverse S-box were designed to be resistant to known cryptanalytic 
attacks, as required by NIST. Specifically, the design guarantees a low correlation between 
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Table 5.2 AES S-box for encryption. 
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Table 5.3. AES inverse S-box for decryption. 
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input bits and output bits with the property that the output cannot be described as a simple 
mathematical function of the input. When applying S-box (or inverse S-box) substitution, 
each byte of state is replaced by byte indexed by row (left 4 bits) and column (right 4 bits), for 
example, byte “58” is replaced by byte in row 5 and column 8, which is “6A.” For example, 


a complete process of substitute bytes is given as follows: 


39 | 85 ]2D|CB AT] 97 | D8] 1F 
D8 | 5A | 18 | 12 | stor [61 | BE| AD | C9 
10 | CE| 43 | 8F "TCA|8B/ 1A / 73 
Es | 68 | D8 | £4 9B | 45 | 61 | 69 
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5.1.3.2 Shift Rows 

The shift rows stage shifts three of the rows of the state array to provide a simple “per- 
mutation” of the data. This stage also provides for diffusion of values between columns. 
In particular, shift rows performs a circular rotate on each row as follows: 


e First row is unchanged. 

e Second row does 1 byte circular shift to left. 
e Third row does 2 byte circular shift to left. 
e Fourth row does 3 byte circular shift to left. 


The process is shown in Figure 5.3. For example, given a current state block in the left 
below, the shift rows is performed as follows: 


A7 | 97 | D8 | 1F A7 | 97 | D8 | 1F 

61 | BE | AD | C9 | Shift rou BE | AD} C9 |} 61 

CA | 8B | 1A |} 73 1A | 73 | CA | 8B 

9B | 45 | 61 | 69 69 | 9B | 45 | 61 
§0,0 | $0,1 §0,2 | §0,3 $0.0 | S01 S0,2 | $0,3 
S10 | S11 $1.2 | $1.3 | Shift rows 511 | $1,2 | $1,3 | §1,0 
52.0 | $21 $2.2 | $2.3 . $2.2 | $2.3 $20 | S21 
53,0 | §3,1 | §3,2 | $3,3 53.3 | §3,0 | $3,1 | $3,2 


Figure 5.3 Illustration of shift rows. 


In AES decryption, the inverse shift rows stage performs the circular shifts in the opposite 
direction for each row. 


5.1.3.3 Mix Columns 

The mix columns stage is a substitution that makes use of arithmetic over GF(2°). In this 
stage, each byte in the block is mapped into a new value based on all values in that column. 
The mapping function is a polynomial matrix multiplication in GF(2°), with the irreducible 
polynomial m(x) = x8 + x4 + x? +x + 1. The chosen constants mix all four bytes in the same 
column with maximal distance between code words. Specifically, the transformation is 
defined by the matrix multiplication as follows: 


02 03 O1 O1 
i 01 02 03 O1 
[Mix Column] = 01 01 02 03 x [Current State]. (5.1) 


03 01 01 02 


Continue with the output of shift rows, the results of the mix column can be found as 
follows: 


A7 | 97 | D8 | 1F FF | 31 | 64 | 77 


BE | AD | C9 | 61 | Mixcolumns | 87 | D8 | 51 | 3A 
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AES decryption applies the inverse mix columns stage, where the matrix multiplication 
are given as follows: 


OE OB OD 09 

09 OF OB OD 
I Mix Col = C t State]. 2 
[Inverse Mix Column] OD 09 OE OB x [Current State] (5.2) 


OB OD 09 OF 


Since mix columns are the matrix multiplication, it can be implemented as four equations 
to map all 4 bytes in the same column. Therefore, software implementation relies only on 
shifts, XORs and conditional XORs. 


5.1.3.4 Add Round Key 

Add round key is the first operation in both AES encryption and AES decryption. It is also 
the last stage in each round of AES encryption. The stage is simply XORing the current state 
block with the block round key, illustrated as follows: 


So,0 | S01 | So,2 | So,3 
S;o |S), |} 8,5] 8 
1.0 | 51,1 | S12 | S13 
®@ [w,|Wj4,1Wj421Wj431- 
So.0 | S21 | S2,2 | S23 


S30 | $3.1 | $3.2 | $3.3 

The add round key stage is simple thus it does not provide too much security in terms of 
confusion, diffusion, and non-linearity. Security is mainly provided by the other three stages 
in each round. Therefore, the add round key stage is applied at the end of each round, in 
which case the confusion, diffusion, and non-linearity provided from other stages can be 
kept in AES encryption. The inverse add round key is identical to the forward add round 
key, because the XOR operation is its own inverse. 


Example: Given the current state block and the round key block, the add round key stage 
is operated as follows: 


FF | 31 | 64 | 77 B6 | 64 | BE | 68 
87 | D8 | 51 | 3A 92 | 3D | 9B | 30 
96 | 6A | 51 | DO CF | BD| C5 | B3 
84 | 51 | FA| 09 OB | F1 | 00 | FE 


where the first matrix is current state, the second matrix is the round key. The result is 
the output of add round key as follows: 


49|55|DA|1F 
15) E5|CA|0A 
59 | D9 | 94 | 63 
8F | AO | FA | F7 


5.1.3.5 AES Key Expansion 

The AES key expansion algorithm takes as input the secret key (16 bytes in AES-128) and 
produces an array of words used as round keys in add round key stages. The AES key expan- 
sion algorithm processes as follows: 
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e Firstly, it copies the initial key into the first group of four words of four round keys, i.e. 
WI[0], W[1], W[2], W[3], with 4 bytes in each word. 

e Secondly, it constructs subsequent groups of four round keys. The first word in each 
group of 4 (e.g. W[4]) is performed with rotate word, S-box, and XOR constant on 
the previous word. Rotate words performs a one-byte circular left shift on a word, i.e. 
(By: B,,B>, B;] > [B,,B>, By, Bol. 

e Thirdly, the output is substituted using the S-box in Table 5.2. 

e After substitution, the first byte of the results are XORed with a round constant RC[i]. 
The constant is determined in the following: 


Round # 1 2 3 4 5 6 7 8 9 10 
RC{i] 01 02 04 | 08 10 | 20 | 40 80 1B 36 


Note that RC[i] is only performed on the first byte of a word, the next three bytes are not 
XORed, i.e. (Sy ® RC[I], S,, S5,S3). 

e Finally, the output is XORed with the 4th back words (i.e. W[i — 4]). For example, if the 
output of XOR with RC is W’[4], then W[4] = W’[4] ® W[0]. 

e The next three words in a group (e.g. W[5], W[6], and W[7]) are simply based on the 
values of the previous and the 4th back words as follows: 


Wii] = W[i- 1] 6 Wii - 4). (5.3) 


The detailed AES key expansion algorithm is summarized in Algorithm 5.1. 


Algorithm 5.1 AES key expansion 
Input: AES key byte key[16]; 
Output: Expanded key word w[44]; 
word temp; 
fori =0;i<4;i++do 
w[i] = (key[4i], key[4i + 1], key[4i + 2], key[4i + 3]); 
end for 
for i = 4;i < 44;i++do 
temp = w{i — 1]; 
if i mod 4 == 0 then 
temp = SubWord(RotWord(temp)) ® RC[i/4]; 
end if 
w[i] = w[i — 4] ® temp; 
end for 


Key expansion rationale: The algorithm is designed to be resistant to known cryptanalytic 
attacks. Specifically, given part of the key, it would be insufficient to find the rest of the key; 
the key expansion must be an invertible transformation thus decryption can be performed; 
the algorithm needs to use round constants to break symmetry; the algorithm needs to pro- 
vide enough non-linearity to hinder analysis; the algorithm must be simple and easy to 
implement on a wide range of CPUs. 
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Example: Given the round key for the second round as: 
(W[8], W[9], W[10], W[11)) 
=(B692CFOB, 643DBDF1, BE30B3FE, 6830B3FE). 


The first four bytes (first column) of the round key for round 3 (i.e. W[12]) are 
calculated as follows: 

e i=12; 

e temp = W[i- 1] = W[11] = 6830B3FE; 

e After RotWord > 50B3FE68; 

e After SubWord > 046DBB45; 

e After @ with RC[3] = O06DBB45; 

e Wli- 4] = W[8] = B692CFOB; 

e W[i] = W[12] = temp @ WIi — 4] = B6FF744E. 


Then, we can find the rest three words of round 3 as follows: 
W[13] = W[12] 6 W[9] = D2C2C9BF, 
W[14] = W[13] 6 W[10] = 6C590CBF, 
W[15] = W[14] 6 W[11] = 0469BF41. 


5.1.3.6 AES Decryption 

The AES decryption cipher has a similar 9-and-1 round structure where an add round key 
stage is at the beginning of entire process. However, it is not the exact reverse of the encryp- 
tion cipher. In each round, the four stages are applied with their inverse functions in a 
different order: inverse shift rows, inverse substitute bytes, add round key, and inverse mix 
columns. The add round key stage is the same as it in the encryption cipher. Note that the 
add round key stage is applied neither the first nor the last in the decryption cipher, which 
may break the security provided by other stages. Fortunately, the purpose of the decryption 
cipher is to reveal the encrypted message instead of making it harder to understand. Due 
to the different stage functions, AES encryption and decryption need two separate software 
or firmware modules. 


5.1.3.7 AES Implementation Aspects 

Due to byte operation design, AES is easy to implement on an 8-bit processor. Add round 
key is a byte wise XOR operation. Shift rows is a simple byte shifting operation. Substitute 
bytes operates at the byte level and only requires a lookup of a 256-byte table S. Mix columns 
is matrix multiplication that can be implemented as byte XOR’s and table lookups with a 
second 256 byte table. AES can also be very efficiently implemented on 32-bit and 64-bit 
processors, by rewriting the stage transformation to use 4/8 table lookups and 4/8 XOR’s 
per column of state. These tables can be computed in advance that needs 4/8 Kbytes to 
store. 


5.2 Block Cipher Modes of Operation 
5.2 Block Cipher Modes of Operation 


A block cipher forms a basic building block which encrypts or decrypts a fixed sized block 
of data. For example, DES encrypts 64-bit blocks with a 56-bit key. In practice, data to be 
handled usually has an arbitrary length. The entire data may be available in advance, where 
block operations can be applied. The data may only be available a byte or even a bit at 
a time, where stream operations are more appropriate. In order to apply a block cipher 
in a variety of application, NIST FIPS PUB 81 defined four modes of operation [24] based 
on DES block cipher: the electronic codebook (ECB), cipher block chaining (CBC), cipher 
feedback (CFB), and output feedback (OFB) modes. In 2001, NIST defined another block 
operation mode in the special publication 800-38A [25]. The added mode is the Counter 
(CTR) mode. Although DES was the original chosen block cipher, the modes can be used 
with any symmetric block cipher, including 3-DES and AES. More recently, an additional 
block cipher mode of operations XTS-AES was standardized by IEEE and NIST [26]. 


5.2.1 Electronic Codebook (ECB) Mode 


The ECB mode is the simplest mode. As shown in Figure 5.4, the input message is bro- 
ken into independent blocks for encryption. For a given key K, ECB encryption handles a 
block at a time, analogous to the assignment of code words in a codebook. The encryption 
and decryption of the ECB mode are defined as follows: 


C,=E,(P), fori=1,...,N, (5.4) 
P,=Dxg(C), fori=1,...,N. (5.5) 


The ECB mode is used when only a few blocks of information needs to be sent, for example, 
a session key encrypted using a master Key. In both ECB encryption and ECB decryption, 
multiple forward cipher functions and inverse cipher functions can be computed in parallel. 

Advantages and limitations of ECB mode: The advantage of ECB mode is its computational 
efficiency and capability in parallel computing. However, ECB mode is not appropriate 


Figure 5.4 The electronic codebook 
(ECB) mode. (a) Encryption. 
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for a large amount of data since repetitions may show in ciphertext, due to its indepen- 
dent blocks. The main use of the ECB mode is to encrypt a small amount of data, e.g. just 
one or a few blocks. 


5.2.2 Cipher Block Chaining (CBC) Mode 


The CBC mode overcomes the weakness of repetitions and order independence in the ECB 
mode. In the CBC mode, the input message is also split into blocks, as shown in Figure 5.5. 
The encryption and decryption of a block in the CBC mode depends on current message 
block and all the previous ciphertext blocks. The CBC mode requires an initial value (i.e. IV) 
for the first block operation. The IV is usually a well-known value (e.g. all 0’s), or otherwise 
is sent encrypted with the ECB mode. In CBC encryption, the first input block is formed 
by XORing the first input block message with the IV. Inputs to the other blocks are formed 
by XORing the current block message with the previous ciphertext. The encryption of the 
CBC mode is defined as follows: 


e = Ex (P, @IV), 


(5.6) 
C, = Ex (P; ® C_,), for i= 2,...,N. 


In CBC decryption, each ciphertext block is passed through the decryption algorithm. 
The result is XORed with the preceding ciphertext block to produce the plaintext block. 
The plaintext of the first block is revealed by first decrypting the ciphertext block, and then 
XORing with the IV. The decryption of the CBC mode is defined as follows: 


ir =D, (C,) @IV, 


(5.7) 
P,=Dg(C)@C,,, fori=2,...,N. 


Advantages and limitations of CBC mode: Since a ciphertext block depends on all blocks 
before it in the CBC mode, the encrypted message cannot be changed or rearranged without 


Time = 1 Time = 2 Time =N_ Figure 5.5 Cipher block chaining 
P, P; Py (CBC) mode. (a) Encryption. 
(b) Decryption. 
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totally destroying the subsequent data. However, the CBC mode needs an IV which must be 
known to both sender and receiver. If the IV is sent in clear text, then attack can be launched 
on the first block. Because any change of the first block can be compensated by changing 
the corresponding bits of the IV. Hence an IV must be a fixed value or be sent encrypted (e.g. 
using the ECB mode) before the rest of the message. The CBC mode is applicable whenever 
large amounts of data need to be sent securely, provided that all data is available in advance. 


5.2.5 Cipher Feedback (CFB) Mode 


In the cipher feedback (CFB) mode, message is treated as a stream of bits. In general, the 
CFB mode features the feedback of successive ciphertext segments into the input blocks of 
the forward cipher to generate output blocks that are XORed with the plaintext to produce 
the ciphertext. The standard of the CFB mode allows any number of bits (e.g. 1, 8, 64, 128, 
etc.) to be fed back, denoted by CFB-1, CFB-8, CFB-64, CFB-128, etc. It depends on the 
block size of the cipher used, for instance, DES (CFB-64) or AES (CFB-128). 

As shown in Figure 5.6a, the encryption of the CFB mode starts with an IV. The block 
size of the cipher is b bits. The CFB mode also requires an integer parameter, denoted s, 
1<s <b. Itis the size of each plaintext block and the output of each ciphertext block. Let 
MSB,(X) be the left most significant s bits of X. Let LSBo_p»(X) be the remaining (b-s) bits 
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Figure 5.6 Cipher feedback (CFB) mode. (a) Encryption in CFB mode. (b) Decryption in CFB mode. 
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after the s-bit left shift register of the b-bit block X. The first ciphertext segment is produced 
by XORing the first plaintext segment with the s most significant bits of the first output 
block of the cipher. The remaining (b — s) bits of the first output block of the cipher are 
discarded. The (b — s) least significant bits of the IV are then concatenated with the s bits 
of the first ciphertext segment to form the second input block. The process is repeated with 
the successive input blocks until a ciphertext segment is produced from every plaintext 
segment. The encryption of the CFB mode is defined as follows: 


I=, 
C, = P, © MSB(Ex(1,)), (5.8) 
C, = P; ® MSBEx(LSBy_y(F-IIC_) for i= 2,...,N. 

In CFB decryption, simply replace the input of P, to C;. as follows: 


=I, 
P, =C, ® MSBYE,(1,)), (5.9) 
P, = C, ® MSB,LEx(LSBy_s (UIC; for i= 2,...,N. 


Advantages and limitations of CFB mode: The CFB mode is usually applied as the stream 
mode, which is appropriate when data arrives in bits or bytes. The CFB mode is not appro- 
priate for “noisy” transmission links. Because any corrupted data in the transmission will 
continue corrupting the values in the current and all future blocks. Moreover, the CFB 
model also requires an IV for initial operation. If the IV is revealed to an attacker, with a 
known plaintext block, e.g. the ith plaintext block, then the ith output of the forward cipher 
function can be determined easily from the ith ciphertext block of the message. With a prop- 
erly secured IV, the CFB mode can be used for quantities of stream oriented data, and for 
authentication. 


5.2.4 Output Feedback (OFB) Mode 


The output feedback (OFB) mode is an alternative to the CFB mode. As shown in Figure 5.7, 
the input of the OFB mode is treated as a stream of bits. The output of cipher is XORed to 
the plaintext as the ciphertext. The output of the cipher is also fed back as the input to the 
cipher for the encryption of next block. Let I; and O; be the input and output encryption E 
of the ith block. Then the encryption of the OFB mode is defined as follows: 


I, =IV, 
= 03-;; fori=2,...,N 
i= Vi-1 (5.10) 
O; = E, (1), fori=1,...,N 
C; = P; ® O,, fori=1,...,N. 
For decryption, the OFB mode is defined as follows: 
I, =IV, 
L=0,,, fori=2,...,N 
i i-1 (5.11) 
O; = E,(I,), fori=1,...,N 


P,=C,@O,, fori=1,...,N. 
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Advantages and limitations of OFB mode: The feedback in the OFB mode is independent 
of the input plaintext. The advantage is that bit errors in transmission do not propagate in 
the OFB mode. However, the OFB mode is more vulnerable to a message stream modifica- 
tion attack than the CFB mode. Since OFB is a Vernam cipher variant, the stream should 
never be reused (otherwise the 2 ciphertexts can be combined, cancelling these bits, and 
leaving a “book” cipher to solve). Moreover, sender and receiver need to remain in syn- 
chronization, or all data is lost. 


5.2.5 The Counter (CTR) Mode 


The counter (CTR) mode features the application of the forward cipher to a set of input 
blocks, ie. counters, to produce a sequence of output blocks that are XORed with the 
plaintext to produce the ciphertext, as illustrated in Figure 5.8a. The size of a counter is 
equal to the size of a plaintext block. The only requirement stated in SP 800-38A is that 
the counter value must be different for each plaintext block that is encrypted. Typically 
the counter is initialized to some value and then incremented by 1 for each subsequent 
block. For encryption, a counter is encrypted first. The output is XORed with the plaintext 
to produce the ciphertext. The counter is incremented by 1 for the next block. The 
encryption for the CRT mode is defined as follows: 


O, = Ey (i+ Counter — 1), fori=1,...,N 
: x ( ) (5.12) 


C, =P, ® O;, fori=1,...,N. 
For decryption, swap the ciphertext and the plaintext in each block, it is operated as follows: 


O, = E, (i+ Counter — 1), fori=1,...,N 
. KC ) (5.13) 


P,=C,@O,, fori=1,...,N. 
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Figure 5.8 Counter (CTR) mode. (a) Encryption in CTR mode. (b) Decryption in CTR mode. 


Advantages and limitations of CTR mode: An advantage of the CTR mode is its high effi- 
ciency, since the output of cipher can be calculated in advance. Moreover, since the encryp- 
tion of each block is independent, parallel encryptions can be applied in the CTR mode. 
The CTR mode can also get random access to encrypted data blocks. However, the CTR 
mode must not reuse the same key nor counter value. 


5.2.6 Last Block in Different Modes 


One issue that arises with block cipher operation modes is how to handle the last block 
since a message may not be the multiple of a block size. In general, the last block needs to 
be padded (typically with 0’s). At the receiver’s side, the padding needs to be obvious. As 
an alternative, the last byte of the padding can be reserved as a count of how many bytes 
padding was used (including the count). For example, [b,, b,, b;,b,, bs, 0,0, 3] means that 
there are 5 data bytes, then 3 bytes “padding+count.” Note that if this is done, if the last 
block is an even multiple of 8 bytes or has exactly the same form as “padding+count,” then 
an extra block is added. There are other, more esoteric, “ciphertext stealing” modes, which 
avoid the need for an extra block. 


5.2.7. XTS-AES Mode 


XTS-AES is an additional block cipher mode of operation. This mode is defined by IEEE 
Standard 1619-2007 and NIST Standard XTS-AES, which describes a method of encryption 
for data stored in sector-based devices [26]. The XTS-AES mode is based on the concept of 
an adjustable block cipher. The requirements for encrypting stored data, also referred to as 
“data at rest” differ from those for transmitted data. Figure 5.9 illustrates XTS-AES opera- 
tion on a single block. The XTS-AES encryption of a single block involves two instances of 
the AES algorithm with two keys (i.e. K, and K,), and a number of parameters. In essence, 
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Figure 5.9 XTS-AES operation on a single block. (a) Encryption in XTS-AES. (b) Decryption in 
XTS-AES. 


iis the 128-bit tweak for the sector, j is the block number within the sector. Each data unit 
(sector) is assigned a tweak value that is a non-negative integer. ® is modular multiplication 
of two polynomials with binary coefficients module x!*8 + x7 +x +1, this is multiplica- 
tion in GF(2)8); a is a primitive element of GF(2!*) that corresponds to polynomial x 
(ie. 0000 ... 010,). The XTS-AES block encryption is defined as follows: 


= Fx,0 @ a, (5.14) 
Ci =T,OEx Tj OP). 

In the XTS-AES decryption, T is calculated in the same way. The other AES encryption 
function is replaced by AES decryption function, and swap C; and P;. Thus the XTS-AES 
block decryption is defined as follows: 


. = Ex) @ al, 
P; = T; ® Dx (T ® C)). 
An input message may have multiple blocks. Instead of using padding, XTS-AES uses a 
technique ciphertext—stealing. The ciphertext—stealing technique used in both XTS-AES 
encryption and decryption is shown in Figure 5.10. This technique ensures that the 
encrypted data remains the same size as the original plaintext, which it must fit on a block- 
oriented storage device. 
Advantages and limitations of XTS-AES mode: The XTS-AES mode is suitable for parallel 
operation. Because there is no chaining, multiple blocks can be encrypted or decrypted 


(5.15) 


92 | 5 More on Cryptographic Techniques 


Po Prt 


10 im-l | 
t 


XTS-AES block 
encryption 


XTS-AES block 
encryption 


XTS-AES block 
decryption 


Po i ne m-1 
P m-1 P m 
(b) 


Figure 5.10 XTS-AES ciphertext—stealing mode. (a) The ciphertext-stealing in XTS-AES 
encryption (b) The ciphertext-stealing in XTS-AES decryption. 


simultaneously. Therefore, XTS-AES has good efficiency. However, unlike CTR mode, 
XTS-AES mode includes a nonce (the parameter i) as well as a counter (parameter j). 
XTS-AES addresses security concerns related to stored data. 


5.3 Public Key Infrastructure 


All the cryptographic systems discussed so far are symmetric key systems, where one key is 
pre-shared with a sender and a receiver. If this key is disclosed, the entire communication 
would be compromised. Also, both parties are equal in symmetric cryptographic systems. 
All classical and modern block and stream ciphers are of this form, and still rely on the 
fundamental building blocks of substitution and permutation (transposition). There are 
two key issues considering symmetric systems: 


e Key distribution: How to have secure communications in general without having to trust 
a Key Distribution Center (KDC) with your key? 
e Digital signatures: How to verify a message comes intact from the claimed sender? 


Public-Key Cryptography (PKC) was developed to address those issues. 


5.3.1 Basics of Public Key Cryptography 


PKC is asymmetric, which involves the use of two separate keys (i.e. public/private keys), 
in contrast to symmetric encryption which uses only one key. Anyone knowing the public 
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key can encrypt messages or verify signatures, but cannot decrypt messages or create signa- 
tures, counter-intuitive though this may seem. It works by the clever use of number theory 
problems that are easy one way but hard the other. Note that public key schemes are neither 
more nor less secure than private key (security depends on the key size for both), nor do they 
replace private key schemes (they are too slow to do so), rather they complement them. Both 
also have issues with key distribution, requiring the use of some suitable protocol [27-29]. 

Public key algorithms must follow the important characteristic as follows. First, it is com- 
putationally infeasible to determine the decryption key given only knowledge of the cryp- 
tographic algorithm and the encryption key. Second, it is computationally easy to encrypt 
or to decrypt messages when the relevant key is known. Third, either of the two related 
keys can be used for encryption, with the other used for decryption (for some algorithms). 
Therefore, public key schemes utilize problems that are easy (P type) one way but hard (NP 
type) the other way, e.g. exponentiation in one way but logarithm in the other way; mul- 
tiplication in one way but factoring in the other way. Public-key schemes can be used for 
either secrecy or authentication. PKC is asymmetric because those who encrypt messages 
or verify signatures cannot decrypt messages or create signatures. PKC involves the use of 
two keys: 


e Public-key: which may be known by anyone and can be used to encrypt messages, and 
verify signatures; 

e Private-key: which is known only to the recipient, used to decrypt messages, and sign (or 
create) signatures. 


Figure 5.11 illustrates essential elements of a public-key cryptographic scheme. As shown 
in Figure 5.11a, the transmitter A encrypts the plaintext M using the receiver B’s public key 
PU, 


C = Epy,(M). (5.16) 
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Figure 5.11 Public-key cryptography. (a) Encryption and decryption. (b) Digital signature. 
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Figure 5.12 Public-key cryptographic systems. 


The receiver B then decrypts the message using its own private key PR, 

M = Dp, (C). (5.17) 
Confidentiality is provided since B is the only one that can decrypt the ciphertext. As shown 
in Figure 5.11b, the transmitter A signs the plaintext using its own private key PR, 

S = Epp (M). (5.18) 
The receiver B then verifies the signature using A’s public key PU, 

M = Dpy (M). (5.19) 
Note that anyone who has A’s public key can verify the signature. The two operations can be 
used together for both encryption and authentication, as illustrated in Figure 5.12. In this 


case, separate key pairs are used for each of these purposes. Sender A first signs the plaintext 
M to get Epp (M), then encrypts the result to get 


C = Epy,(Epp, (M)). (5.20) 
Receiver B first decrypts the ciphertext to get Dpp, (C), then verifies the signature 
M = Dpy (Dp (C)). (5.21) 


It is not used typically in general practice but only in some specific applications, because 
public-key schemes have high computational cost. 


5.3.2 Public-Key Applications 


Depending on the application, the sender uses either the sender’s private key or the 
receiver’s public key, or both, to perform some type of cryptographic function. In broad 
terms, the use of public-key cryptosystems can be classified into the three categories: 


e Encryption and decryption: The sender encrypts a message with the recipient’s public key. 

e Digital signature: The sender signs a message with its private key, either to the whole 
message or to a small block of data that is a function of the message. 

e Key exchange: Two sides cooperate to exchange a session key, to be used for the symmetric 
key secure communications. 


Some public key algorithms are capable for all three applications, whereas others can be 
used only for one or two of these applications. 
5.3.3. Security of Public Key Schemes 


Public key schemes are no more or less secure than private key schemes. It is the key size 
that determines the security in either type of schemes since brute-force exhaustive search 
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attack is always theoretically possible. Nonetheless, the key sizes of public key schemes and 
private key schemes cannot be compared directly. Typically, a 64-bit private key scheme 
has roughly similar security to a 512-bit RSA (a public key scheme). Therefore, public key 
schemes use much larger keys than private key schemes. Besides key size, the security 
of public key schemes relies on the easy encryption/decryption and hard cryptanalysis 
problems. There is usually a firmer theoretical basis for determining the security of public 
key schemes. However, it requires the use of very large numbers to secure public key 
schemes. Hence public key schemes are relatively slow in computation compared to 
private key schemes. 


5.4 The RSA Algorithm 


The RSA algorithm is by far the most widely used public key encryption scheme. RSA 
was first published by Rivest et al. of MIT in 1977 [30]. Since that time RSA has reigned 
supreme as the most widely accepted and implemented general-purpose approach to pub- 
lic key scheme. It is based on exponentiation in a finite field over integers modulo a prime, 
using large integers (e.g. 1024 bits). Its security is due to the cost of factoring large numbers, 
which is a hard problem [31]. 


5.4.1 RSA Key Setup 


RSA key setup is done once when a user establishes or replaces its public/private keys, using 
the steps as follows: 


(1) Select two large prime numbers p and q at random. 

(2) Compute system modulus n = p - q, note that @(n) = (p —1)(q —- 1). 

(3) Select at random the encryption key e, such that 1 < e < ¢(n) and GCD(e, ¢(n)) = 1. 
(4) Find decryption key ds.t.,d =1 mod ¢(n), for0 <d <n. 

(5) The public key is PU = {e,n}. 

(6) The private key is PR = {d,n}. 


It is critically important that the factors p and q of the modulus v are kept secret, since if 
these become known, the system can be broken. Note that different users will have different 
moduli n. 


RSA key setup example: Given two prime numbers p = 13 and q= 19, the public/ 
private keys are derived as follows: 


n=p-q=13x19= 247, 
o(n) = (p—1)-(q-—1) =12x18 = 216. 
The encryption key eis selected as e = 11, where GCD(11, 216) = 1. The decryption key 
dis found as d = 59 by calculating the multiplicative inverse of e = 11. It can be easily 


verified, i.e. 59 x 11 = 649 = 3 x 216 + 1. Therefore, the public key of this example is 
PU = {11, 247}, and private key is PR = {59, 247}. 
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Note that in the real applications of RSA, the parameters p, q, n, e, d must all be very large 
integers. Primality testing such as Miller-Rabin algorithm can be used to test if a generated 
large integer is a prime number or not. Extended Euclidean Algorithm can be used to find 
d given e and ¢(n). 


5.4.2. RSA Encryption and Decryption 


The actual RSA encryption and decryption computations are each a single exponentiation 
modulo n. Note that the message must be smaller than the modulus. The “magic” is in the 
choice of the exponents which makes the system work. 


e To encrypt a message M, the sender: 
— Obtains public key of recipient PU = {e, n}. 
- Computes C = M*® modn,O <M <n. 
e To decrypt a ciphertext C, the recipient: 
— Uses the private key PR = {d,n}. 
— Computes M = C4 mod n. 


Note that the message M must be smaller than the modulus n. If M is larger than n, it can 
be split into smaller blocks. 

RSA works because of Euler’s theorem, s.t., a?” mod n= 1, where GCD(a,n) = 1. 
In RSA, we have e-d =1+k- (n) for some k. Hence, it can be verified that 


Ct = Me? = Mito = yy! . (Me™)* = M mod n. 


RSA encryption and decryption example: Given message M = 8, PU = {11, 247} and 
PR = {59, 247}, the encryption of RSA is process as follows: 


C = M* mod n = 8" mod 247 = 31. 
The decryption of this ciphertext is as follows: 


M=C*% mod n= 31> mod 247 =8. 


Note that in the real applications of RSA, the Chinese Remainder Theory and some tech- 
niques on efficient exponentiation can be used for increasing the computation efficiency. 


5.4.3. RSA Security Analysis 


There are possible approaches to attack the RSA algorithm. The defense against the 
brute-force attack is the same for RSA as for other cryptosystems, namely, using a large 
key space. Therefore, the larger the number of bits in d, the better security it is against 
brute-force key search. However, because the calculations involved both in key generation 
and in encryption/decryption are complex, the larger the size of the key, the slower the 
system will run. Besides brute-force attack, there are other possible approaches, including 
mathematical attacks (based on difficulty of computing ¢(n), by factoring modulus n), 
timing attacks, and chosen ciphertext attacks (CCA). 


5.5 Diffie-Hellman (D-H) Key Exchange 


5.4.3.1 Factoring Problem 
One can identify three approaches to attacking RSA mathematically: 


e Factor n = p-q, hence compute ¢(n) and then d according to p and q. 
e Determine $(n) directly and compute d. 
e Find d directly. 


Currently the best algorithm of factoring is the Lattice Sieve, which can factor a 
200-decimal digits (663-bit) value. Therefore, it is assumed that 1024-bit or 2048-bit RSA is 
secure against factoring in the near future. 


5.4.3.2 Timing attacks 

Timing attack is a ciphertext only attack. It exploits timing variations in operations. For 
example, multiplying large number takes more time than multiplying small number. Or, 
it has different patterns for different instructions executed. In RSA, it exploits time taken 
in exponentiation. Although the timing attack is a serious threat, there are simple coun- 
termeasures that can be used, including using constant exponentiation time algorithms, 
adding random delays, or using blind values in calculations. 


5.4.3.3 Chosen Ciphertext Attacks 

In CCA, an attacker chooses ciphertext and gets decrypted plaintext back. Ciphertext is 
chosen to exploit properties of RSA to provide information to help cryptanalysis. RSA is in 
fact vulnerable to CCA. Nonetheless, we can counter CCA with random pad of plaintext, 
or use Optimal Asymmetric Encryption Padding (OAEP). 


5.5 Diffie-Hellman (D-H) Key Exchange 


One of the important service achieved by public key cryptographic system is more effi- 
cient key exchange. D-H key exchange is one of the first practical examples of public key 
exchange implementation [21]. D-H algorithm cannot be used to exchange an arbitrary 
message. It rather establishes a common key that is known only to the two participants. 
D-H algorithm is based on exponentiation in a finite field which is easy to compute. The 
security of D-H algorithm is based on the difficulty of computing discrete logarithms. 


5.5.1 Finite-Field Diffie-Hellman 


D-H algorithm starts by setting global parameters agreed by both participants. The global 
parameters of a finite-field D-H include: a large prime integer or polynomial q, and a being 
a primitive root mod q. Note that if a is a primitive root of the prime number q, then the 
numbers (a mod q), (a? mod q), ..., (a7~! mod q) are distinct and consist of the integers from 
1 through (q — 1) in some permutation. Each participant generates their public and private 
keys. User A generates the key pairs as follows: 


e First choose a secret key x, < q; 
e Then compute a public key y, = a“ mod gq. 
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User B generates the key pairs as follows: 


e First choose a secret key xp < q; 
e Then compute a public key y, = a** mod gq. 


The two participants A and B first exchange their public keys, then create a common 
secret key K,, as follows: 
e AtA: Ky, =y; mod q. 
e At B: Ky = yy mod g. 

The key K,, is used as a session key that can be applied to any symmetric-key encryption 
schemes. 


D-H example: given the global parameters q = 29 and a = 3. The two participants 
select secret keys x, = 7 and x, = 11. The public keys are computed as follows: 


y, = 3’ mod 29=12; y,= 3! mod 29=15. 
The shared session key the is as follows: 


Kp = 15’ mod 29 = 12" mod 29 = 17. 


5.5.2 Elliptic-Curve Diffie-Hellman 


The Elliptic-Curve Diffie-Hellman (ECDH) is based on Elliptic Curve Cryptography (ECC). 
An elliptic curve is a plane curve over a finite field G: 


y=x+ax+b, (5.22) 


and a distinguished point at infinity. The finite field G is assumed to have a prime order 
of p, or an order defined in binary 2”. The domain parameters in ECDH are (p, a, b, g,n,h) 
or (m, f(x), a, b, g,n, h) for prime G, or G5, respectively, where g is a generator of the finite 
field. The basic idea of key distribution of ECDH is the same as finite field D-H. Two par- 
ticipants A and B have symmetric operations. Using A for illustration, ECDH generates and 
distribute a key as follows: 


e Aand B pick private keys d, € [1,n — 1] and d, € [1,n — 1]; 

e Each computes the corresponding public key d, - g and d, - g; 

e Exchange the public keys; 

e Each computes the shared key locally K,, = d, «dz -g. 

Note that (x - g) indicates adding g to itself x times on the elliptic curve. 


5.5.3 Diffie-Hellman Key Exchange Vulnerability 


D-H key exchange is vulnerable to man-in-the-middle attack. Assume that A and B are 
legitimate users and C is the attacker. The man-in-the-middle attack is launched as follows: 


e C generates two random private keys x, and x¢, and the corresponding public keys yo, 
and yo. 
e Csends yo, and yc, to Band A correspondingly. 


5.6 Summary 


e C intercepts y, that is sent from A to B. C computes k, = (y,)" mod q. 
e Bcomputes k, = (yc, )“* mod q. 

e C intercepts y, that is sent from B to A. 

e Ccomputes k, = (yg)"" mod q. 

e Acomputes k, = (Vc, )"4 mod q. 


After the attack, A and C share a key k, while B and C share a key k,. In later communi- 
cations, C can either impersonate B to communicate with A or vice versa. C may also be an 
eavesdropper by relaying communications. 


5.6 Summary 


In this chapter, several more cryptographic techniques are illustrated, including AES, block 
cipher modes of operations, and the introduction to public key cryptographic systems. RSA 
algorithm and D-H key exchange algorithm are described in further details for public key 
cryptographic systems. Those cryptographic techniques are used for security mechanisms 
designed for some wireless communications systems. 
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Message Authentication, Digital Signature, and Key Management 


In Chapters 4 and 5, encryption has been illustrated to protect the secrecy of the message 
contents. Besides the secrecy, there are other security aspects for protection, for example, 
the integrity of the message, the identity of the sender, etc. In this chapter, message authenti- 
cation and digital signature will be introduced to protect those aspects of message contents. 
Furthermore, key management will be discussed for different cryptographic systems. 


6.1 Message Authentication 


6.1.1 Message Authentication Functions 


Message authentication ensures that a message is received from the alleged sender and in 
its original form. No alteration of the content shall be allowed during the transmission. 
Thus, message authentication is a method to verify that the integrity of a message is main- 
tained during communications [32]. Message authentication can also be applied to validate 
identity of the originator, and provide non-repudiation of the origin (dispute resolution). 
There are three types of functions that may be used to produce an authenticator: message 
encryption, message authentication code, and hash function. 

Message encryption is to provide confidentiality of the message during transmission. 
Nonetheless, message encryption by itself also provides a measure of authentication. 
If symmetric encryption is used with a suitable structure, redundancy or a checksum, 
then receiver is certain that the received content is not altered during transmission. 
Moreover, receiver can also authenticate the sender since only the two of them can create 
a ciphertext with meaningful content. If public-key encryption is used, encryption with 
the public key does not provide message authentication since anyone potentially knows 
public key could create the message. However, if sender signs a message using its private 
key and encrypts the message with the receiver’s public key, then message authentication 
is provided the same as using symmetric ciphers. While message authentication can 
be provided in this way, it is not recommended because of the cost of two public key 
encryptions used on each message. 

Message Authentication Code (MAC) is a cryptographic checksum with a fixed-size 
block of digits that is generated by an algorithm or a function. A MAC algorithm takes in 
both message and a secret key. It performs similarly to encryption but it is not required to be 
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reversible for an MAC algorithm. In practice, MAC algorithms are mostly irreversible due to 
the small fixed-sized output. MAC is appended to the original message before transmission. 
Receiver performs the same computation on message and checks if the result matches the 
received MAC. MAC provides assurance that a message is unaltered and comes from sender. 

Hash Function creates a fixed-size block based on the original message. Different from 
an MAC algorithm, a hash function does not have a secret key. A hash value is created solely 
from the message. Before transmission, a hash value is created and appended to the original 
message. Receiver performs the same computation on the received message to create a hash 
value. If the hash value matches the received one, then the received message is considered 
unaltered. However, since there is no key used for a hash function, a hash value does not 
validate the identity of originator, nor does it provide non-repudiation. 


6.1.2 Message Authentication Code 


An overview of MAC usage is shown in Figure 6.1. At the sender side, the original message 
is passed through an MAC algorithm F,(-) with a secret key K. The output of F,(-) is the 
MAC, which is then appended to the original message for transmission. At the receiver side, 
the same algorithm is applied with the input of the received message and the secret key. The 
computed result is then compared with the received MAC for verification. If the two val- 
ues match, then the integrity of the message is validated. It can be seen that MAC provides 
authentication only. The message is still transmitted in clear text. In order to provide con- 
fidentiality, encryption is required with a different key from the MAC algorithm. One can 
compute MAC either before or after encryption. However, it is generally regarded better to 
computer MAC before encryption. Note that a MAC is not a digital signature. A MAC does 
not provide non-repudiation since it lacks unique information of the originator. 

There are several requirements for an MAC algorithm F,(-) (with key K), listed as follows: 


e With a known message M, and its MAC F,(M,), it is infeasible (in practice) to find 
another message M, that generates the same MAC F,(M,) = Fx(M,j). 

e MACs generated from function F should be uniformly distributed. 

e MAC generation should depend equally on all bits of the input message. 


Note that a MAC algorithm F;,(-) is in general a many-to-one function, since the output 
is a fixed size block (which usually has a smaller size than the input message). Therefore, 
it is possible that different messages have the same MAC. However, it must be extremely 


Sender Transmission Receiver 


Figure 6.1 An illustration of message authentication code usage. 


6.1 Message Authentication 


hard (e.g. only by exhaustive search) to find two messages that generate the same MAC in 
practice. 

It is mentioned before that symmetric ciphers may be applied for message authentication. 
Symmetric block ciphers are good candidate for MAC algorithms since good block ciphers 
meet the three requirements very well. Any block cipher chaining mode can be used with 
the output of the final block being the MAC. 


6.1.3. Hash Functions 


A hash function maps arbitrary size of input message to a fixed-size block (i.e. a hash 
value) [33]. Using hash function for message authentication is similar to using MAC, as 
illustrated in Figure 6.2. The sender generates a hash value based on the original message. 
The hash value is appended to the message before transmission. At the receiver side, the 
same hash function is applied to the received message to generate a hash value, which is 
then compared with the received hash value for verification. If matches, then the integrity 
of the message is verified. 

Hash functions for message authentication are considered cryptographic hash functions 
or secure hash functions. There are specific requirements for those cryptographic hash 
functions. For a cryptographic hash function H(-), the requirements are listed in the 
following: 


e The function can be applied to message M with arbitrary size. 

e The output hash value h has fixed length. 

e It is easy to compute h = H(M) for any message M. 

e Given h, it is infeasible to find input x s.t. H (x) = h (one-way property). 

e Given x, it is infeasible to find y s.t. H (y) = H (x) (weak collision resistance). 
e It is infeasible to find any x, ys.t. H (y) = H(x) (strong collision resistance). 


Since hash value is a fixed size but input message can be any size, hash function is a 
many-to-one function. There exist multiple inputs that produce the same hash value. How- 
ever, it should be no easier than brute-force attack to find such messages that generate the 
same hash value. There are several proposals for simple hash functions. One example is 
to simply split the input into blocks and then XOR all the blocks. Apparently, such a sim- 
ple hash function cannot be used for message authentication because it does not satisfy the 
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Figure 6.2 Hash function for message authentication. 
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Sender Transmission Receiver 


Digital signature 


Digital signature 


Figure 6.3. Hash function with digital signature. 


requirements for cryptographic hash functions. It is easy to manipulate the original message 
without change the final hash value. 

A hash function is generally public and not keyed. A MAC function on the other hand 
is keyed. Hash functions can be used in various ways to provide security protections. One 
such application is to use a digital signature to provide both message authentication and 
non-repudiation. An overview of this application is shown in Figure 6.3. The sender first 
create a hash value based on the input message, then signs the results with its private key to 
create a digital signature. Note that the encryption together with the hash function operates 
as a digital signature. The generated digital signature is appended to the original message. 
At the receiver side, a hash value is first created based on the received message. The received 
digital signature is verified using sender’s public key. If the two values match, then the 
received message is unaltered, and non-repudiation is also verified besides message authen- 
tication. 


6.1.4 Size of MAC and Hash Value 


The security of a MAC or hash function depends on the size of the MAC or hash value. If the 
size of the MAC or hash value is too small, it will be susceptible to attacks especially birthday 
attack. Birthday attack is based on Birthday Paradox [34]. It is to compute the probability 
P(n) that, in a set ofn randomly chosen people, at least two of them have the same birthday. 
For simplicity, assume that there are 365 possible birthdays (excluding leap years, twins, 
etc.), then P(n) is calculated as follows: 


0, n=1, 
rival pop 20 ‘ 
1 n > 365, 


where P(n) is the probability that no two people in the room have the same birth- 
day. According to birthday paradox, P(n) > 99.9% is reached with n > 70 people, and 
P(n) > 50% can be reached with just n > 23 people. An illustration of the probability 
with regard to number of people is given in Figure 6.4. Birthday paradox shows that a 
collision can happen with high probability with a much small space than the original one. 
According to birthday paradox, a birthday attack works as follows: for a message with 
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Figure 6.4 = |llustration of birthday paradox. 


length m, an attacker first generates 2””/? variations of a valid message all with essentially 
the same meaning (e.g. “class at nine” and “class in the morning”). The attacker also 
generates 2”/? variations of a desired fraudulent message (e.g. “class at noon”). According 
to birthday paradox, it is over 50% chance that a pair of messages can be found one in each 
set that generate the same hash value. If such a pair is found, then a forgery can substitute 
the original message and pass the hash value check. Therefore, MAC and hash values 
must be large to prevent birthday attack. For a message with length m, brute-force attack 
exploits strong collision resistance MAC/hash value at a cost of 2”/?. In general, 128-bit 
hash value is considered vulnerable, while 160 bits or larger is recommended. On the 
other hand, 128 bits or larger is recommended for MAC since a MAC is also protected by a 
secret key. 


6.2 MAC and Hash Algorithms 


There are many algorithms and functions to generate MAC and hash values. This section 
will describe some examples of both MAC and secure hash functions. 


6.2.1 Data Authentication Algorithm 


Data Authentication Algorithm (DAA) is a MAC algorithm that applies block cipher DES 
ina CBC mode. DAA is standardized in FIPS PUB 113 / ANSI X9.17 [35]. Figure 6.5 gives an 
overview of DAA. The input message M is divided into N blocks with each block D, 64 bits 
and the last block Dy, possibly padded zeros to be exactly 64 bits. The initial vector IV is set 
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Figure 6.5 Data authentication algorithm. 
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Figure 6.6 A basic structure of hash function. 


to be zeros in DAA. Each block operation takes in current data block D, XORed with the 
output of the previous block, then inputs to the DES using the secret key K. Mathematically, 
DAA is expressed as follows. 


IV. i=0 
O° DE 24, (62) 
DES, (D; ®O;_;), 1=1,2,...,N. 


The output of the final block operation Ox, is the MAC value. The most significant 16 to 
64 bits of O,, can be used as a MAC. However, as mentioned earlier, even using the entire 
64 bits is considered too small for security. 


6.2.2 A Basic Hash Function Structure 


Many hash functions follow a basic structure as shown in Figure 6.6. It condenses an arbi- 
trary size message M to a fixed-size block, by processing the input in blocks, through some 
compression function, either custom or block cipher based. An input is first padded to mul- 
tiple of the block size b bits, and then split into L blocks, Ip||J, ... ||[,_,. Each block operation 
is a compression function F that takes in the input block message J,_, of b bits and the 
result from the previous block operation of O,_, of n bits, and ouipuls a result O; that is 
n bits. 

i { F(,,IV), i=0, 


6.3 
F(L,O,,), i=1,2,...,L-1 (6.3) 


The final output O,_, is the hash value. This has been proven a fundamentally sound 
structure. Newer designs simply refine the structure and add to the hash value length. 


6.2.5 Secure Hash Algorithm (SHA) 


Secure Hash Algorithm (SHA) was originally designed by US government agencies NIST 
and NSA in 1993 [36]. The corresponding standard is NIST FIPS PUB 180. SHA is based 
on design of Message-Digest Algorithm (MD4) with key differences. The original SHA was 
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Table 6.1 Comparison of SHA parameters (in bits). 


SHA-1 SHA-256 SHA-384 SHA-512 


Message digest size 160 256 384 512 
Maximum message size 2 2 28 2Ms 
Block size 512 512 1024 1024 
Word size 32 32 64 64 
Number of steps 80 64 80 80 
Security 80 128 192 256 


revised in 1995 as SHA-1, standardized as NIST FIPS PUB180-1. SHA-1 has 80 rounds with 
a block size of 512 bits and produces 160-bit hash values. In February 2005, an attack by 
X. Wang, Y. Yin, and H. Yu was announced [37]. The attack can find collisions in the full 
version of SHA-1, requiring fewer than 2 operations, far fewer than the 2°° operations 
previously thought needed to find a collision with an SHA-1 hash. In 2017, the first collision 
for full SHA-1 was announced [38]. NIST issued revision FIPS 180-2 in 2002, commonly 
known as SHA-2, which adds three additional versions of SHA: SHA-256, SHA-384, and 
SHA-512. The standards are further updated to NIST FIPS 180-4 in 2012 [36]. A comparison 
of SHA parameters is shown in Table 6.1. The latest versions of SHA were designed for 
compatibility with increased security provided by the AES cipher. Although the structure of 
SHA-2 is similar to SHA-1, security is much improved in SHA-256, SHA-384, and SHA-512. 
Here, security refers to the fact that a birthday attack on a message digest of size n produces 
a collision with a work factor of approximately 2”/?. 


6.2.4 SHA-512 


As defined in NIST FIPS 180-4 [36], SHA-256, SHA-384, and SHA-512 share a similar 
structure. SHA-512 will be illustrated for details. The SHA-512 algorithm takes as input 
a message with a maximum length of less than 2!** bits and produces an output a 512-bit 
message digest. SHA-512 follows the structure as depicted in Figure 6.7. The algorithm 
consists of the following steps: 


(1) Append padding string to the original message. Padding string is a sequence of bits 
starting with ‘1’, followed by zeros to make the message length congruent to 896 modulo 
1024. Note that the length of padding is between 1 and 1024 bits. That is to say, if the 
original message has the length congruent to 896 modulo 1024 (e.g. a length of 896 bits), 
padding will still be applied such that 1||0... 0 (ie. ‘1’ followed by 1023 ‘0’s). 

(2) Append Length to the padded message. Length is a block of 128 bits that contains 
the length of the original message M (before padding). With padding and the length 
block, the message is divided into N blocks, with each block message M, 1024 bits. For 
example, if the original message is 896 bits, the padded message is 1024 bits, Length 
records 896 using 128 bits. The total input has a length of 2048 bits. 

(3) Initialize hash buffer value H, = IV, which consists of 512 bits or eight 64-bit words. 
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Figure 6.7 Overview of the SHA-512 algorithm. 


(4) Process the message in 1024-bit (128-word) blocks in the compression function. The 
compression function is the core of SHA-512, labeled F in Figure 6.7. 
(5) Output the 512-bit final state Hy as the resulting hash value. 


6.2.4.1 SHA-512 Compression Function 
The compression function F is the core of SHA-512. The overall structure of the compres- 
sion function is shown in Figure 6.8. It processes the divided message blocks with 1024-bit 
or 128-word in each block (M,||M,|| ... ||Mj) and outputs a 512-bit buffer value. For each 
compression function, the buffer value from the previous block operation is fed into the 
function besides the message block. The buffer value is updated by XORing the output of the 
compression function with the previous buffer value. Therefore, for the ith block operation, 
the updated buffer value H; is computed as follows: 

H,= 


L 


{ F(M,, IV) @ IV, i=1, (64) 


F(M,,H,,)®H,.,, i=2,...,N, 
where IV is the initial buffer value Hj, which are the 64-bit binary expansion of the frac- 
tional part of the square root of the first eight prime numbers (i.e. 2, 3, 5,7, 11, 13, 17, 19). In 
HEX, H) consists of the following eight 64-bit words: 

H)[A] = 6A09E667F3BCC908 

H[B] = BB67AE8584CAA73B 

H,[C] = 3C6EF372FE94F82B 

A) [D] = A54FF53A5F1D36F1 

ALE] = 510E527FADE682D1 

ALF] = 9B05688C2B3E6C1F 

H,[G] = 1F83D9ABFB41BD6B 

H)[H] = 5BEOCD19137E2179 

The compression function F uses a module that consists of 80 rounds. Each round (e.g. 

the tth round) takes as input the 512-bit buffer value and updates the contents of the buffer. 


In addition to the buffer value, each round also makes use of a 64-bit value W, derived 
using a message schedule from the current 1024-bit message block being processed, and an 
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Figure 6.8 SHA-512 compression function F. 


additive constant K, that is based on the first 64 bits of the fractional parts of the cube roots 
of the first eighty prime numbers. The output of the 80th round is added to the input to the 
first round to produce the final buffer value for this message block, which forms the input 
to the next block operation of this compression function. 


6.2.4.2 SHA-512 Round Function 

The structure of each of the 80 rounds is shown in Figure 6.9. Each 64-bit word (i.e. A, B, 
C, D, E, F, G, or H) is shuffled along one place, and in some cases manipulated using a 
series of simple logical functions AND (A), NOT (7), XOR (@). In addition, R"(x) is circular 
right shift of the argument x by n bits in order to provide the avalanche and completeness 
properties of the hash function. The five logical functions are defined as follows: 


e Ma(A, B,C) =(AAB)@ (AAC) @ (BAC), 
eo Xp = R*(A) ® R*(A) © RA), 


109 


110 | 6 Message Authentication, Digital Signature, and Key Management 
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Figure 6.10 SHA-512 message schedule. 


e Ch(E, F,G) = (EAF)® (7EAG), 
e L, = R“(E) @ R'(E) @ R*(A), 
e “+” is addition modulo 2%. 


The 1024 bit message block is derived into eighty 64-bit words W5, ..., W5, by following 
the message schedule shown in Figure 6.10. The first 16 values of W, are taken directly from 
the 16 words of the current message block M,. For the remaining 64 steps, the value of W, 
can be calculated by 


W, = 0,(W,_2) + Wi_7 + 69(Wi_15) + Wi-s6> 


where + is addition modulo 2%. The two logical functions o, and o, are illustrated as 
follows: 


o(x) = R'(x) © R*(x) © Sx), 


0, (x) = R°(x) ® R(x) @ S*(x), 


where S"(x) is the right shift of the argument x by n bits. Word derivation introduces a 
great deal of redundancy and interdependence into the message blocks that are compressed, 
which complicates the task of finding a different message block that maps to the same com- 
pression function output. The eighty additive constants Ky, ... ,K>) represent the first 64-bit 
of the fractional parts of the cube roots of the first eighty prime number. Table 6.2 lists the 
constants in hexadecimal values [36]. 
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Table 6.2 Additive constants Ko, K,,...,K79 for SHA-512. 


428A2F98D728AE22 
3956C25BF348B538 
D807AA98A3030242 
72BE5D74F27B8 96F 
E49B69C1 9EF14AD2 
2DE92C6F592B0275 
983E5152EE66DFAB 
C6EOOBF33DA88FC2 
27B70A8546D22FFC 
650A73548BAF63DE 
A2BFE8A14CF10364 
D192E819D6EF5218 
19A4C116B8D2D0C8 
391COCB3C5C95A63 
748F82EE5DEFB2FC 
90BEFFFA23631E28 
CA273ECEEA2 6619C 
O6F067AA72176FBA 
28DB77F523047D84 
4CC5D4BECB3E42B6 


7137449123EF65CD 
59F111F1B605D019 
12835B0145706FBE 
80DEB1FE3B1696B1 
EFBE4786384F25E3 
42748 4AA6EA6E483 
A831C66D2DB43210 
D5A79147930AA725 
2E1B21385C26C926 
766A0ABB3C77B2A8 
A81A664BBC423001 
D69906245565A910 
1E376C085141AB53 
4ED8AA4AE3418ACB 
78A5636F43172F60 
A450 6CEBDE82BDE9 
D186B8C721C0C207 
0A637DC5A2C8 98A6 
32CAAB7B40C72493 
4597F299CFC657E2 


BSCOFBCFEC4D3B2F 
923F82A4AF194F9B 
243185BE4EE4B28C 
9BDCO6A725C71235 
OFC19DC68B8CD5B5 
5SCBOA9DCBD41FBD4 
B00327C898FB213F 
06CA6351E003826F 
4D2C6DFC5AC42AED 
81C2C92E47EDAEE6 
C24B8B70D0F89791 
F40E35855771202A 
2748774CDF8EEB99 
5SB9CCA4F7763E373 
84C87814A1F0AB72 
BEF 9A3F7B2C67915 
EADA7DD6CDEOEB1E 
113F9804BEF90DAE 
3C9EBEOA15C9BEBC 
SFCB6FAB3AD6FAEC 


E9B5DBA58189DBBC 
AB1C5SED5DA6D8118 
550C7DC3D5FFB4E2 
C1OBF174CF692694 
240CA1LCC77AC9CES 
76F988DA831153B5 
BF597FC7BEEFOEE4 
142929670A0E6E70 
53380D139D95B3DF 
92722C851482353B 
C76C51A30654BE30 
106AA07032BBD1B8 
34BOBCB5E19B48A8 
682E6FF3D6B2B8A3 
8CC702081A6439EC 
C67178F2E372532B 
F57D4F7FEE6ED178 
1B710B35131C471B 
431D67C49C100D4C 
6C44198C4A475817 
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Figure 6.11 Overview of Whirlpool algorithm. 


6.2.5 Whirlpool 


Whirlpool is a hash function endorsed by the New European Schemes for Signatures, 
Integrity, and Encryption (NESSIE) project, a European Union-sponsored effort to put for- 
ward a portfolio of strong cryptographic primitives of various types [39]. The compression 
function of Whirlpool is based on a modified AES block cipher. It is intended to provide 
a comparable (if not better) security and performance to non-block-cipher based hash 
functions, e.g. SHA-2. The overall structure of Whirlpool is illustrated in Figure 6.11. It 
takes as input a message with a maximum length of less than 27°° bits and produces a 
512-bit message digest. The input is processed in 512-bit blocks. The algorithm consists of 
the following steps: 


(1) Append padding bits (1||0, ... ,0) to make the message length congruent to 256 modulo 
512. Append another 256 bits at the end of the padded message that is reserved for the 
“Length” of the original message M. The augmented message will be divided into N 
blocks, with each block message M, 512 bits. 

(2) Set IV to initialize hash matrix Hy = IV. 

(3) Process message in 512-bit (64-byte) blocks, using as its core, the block function W. In 
each block i, W takes the input of the current block message M, and the previous output 
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Table 6.3. Comparison of Whirlpool block cipher W and AES. 


Whirlpool AES 
Block size 512 128 
Key size 512 128, 192, 256 
Matrix orientation Row-wise Column-wise 
Number of rounds 10 10,12, 14 
Key expansion W found function Dedicated algorithm 
GF(2°) polynomial x 4xt4x3 42741 x4xt4x 4x41 
S-box Recursive structure Multiplicative inverse in GF(2°) 

plus affine transformation 

Round constants Successive entries of the S-box Elements 2! of GF(2°) 
Diffusion layer Mix rows Mix columns 
Permutation Shift columns Shit rows 


H,_,, the output of W is XORed with the M, and H,_, again to get the H;. The last block 
of the process Hy will be the 512 bits hash code. 


The function W was specifically designed for use in the has function Whirlpool. It has the 
security and efficiency of AES but with a hash length that equals SHA-512. A comparison 
of Whirlpool block cipher W and AES is shown in Table 6.3. 

Figure 6.12 shows the structure of the block function W. Each round in the algorithm 
involves the use of four different steps: add round key, substitute bytes, shift columns, and 
mix rows. The input is mapped by rows in W. The key schedule uses the same W round 
function, but with round constants RC[I] (being S-box outputs) instead of subkeys. 


6.2.6 Other MAC Functions 


6.2.6.1 Keyed Hash Functions as MACs 

Cryptographic hash functions are efficient and widely available; however, a hash function 
cannot be used directly for an MAC because the lack of a secret key. HMAC is an MAC 
created by existing hash functions, as standardized in the Internet standard RFC 2104 [40]. 
The overall structure of HMAC is shown in Figure 6.13. Given secret key K, it is first padded 
with zeros to the left end to create a b-bit string K* (e.g. if K is of length 160 bits and b = 512, 
then K will be appended with 44 zero bytes). ipad is a pad value of 00110110 (36 in HEX) 
repeated to fill block. opad is a pad value of 01011100 (5C in HEX) repeated to fill block. 
M is the message input to HMAC (including the padding specified in the embedded hash 
function). In summary, for a message M with a secret key K, HMAC creates an MAC as 
follows: 


HMAC(K,M) = HI(K* ® opad)||H[(K* ® ipad)||M)]]. 


Any hash function H can be used in HMAC, e.g. MD5, SHA-2, Whirlpool, etc. the security 
of HMAC is based on the security of the hash function. 
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Figure 6.12 Whirlpool block function W. 


Figure 6.13 HMAC overview. 
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6.2.6.2 Cipher-Based MAC 

Cipher-based MAC (CMAC) is a block cipher-based MAC algorithm that has been widely 
adopted in government and industry. The core of the CMAC algorithm is a refinement of 
the Cipher Block Chaining MAC (CBC-MAC) adopted by NIST. CMAC uses multiple keys 
to remove the restriction of CBC-MAC that only messages of one fixed length of m x n bits 
are processed, where n is the cipher block size and m is a fixed positive integer. CMAC is 
specified in NIST Special Publication 800-38B [41]. CMAC generates a I-bit MAC (i.e. CMAC 
tag T) using a b-bit block cipher E (e.g. AES or triple-DES) and a secret key K. Two subkeys 
K, and K, are first derived from K as follows: 


114 | 6 Message Authentication, Digital Signature, and Key Management 


Figure 6.14 Cipher-based message authentication code (CMAC). (a) Message length is interger 
multiple of block size. (b) Message length is not interger multiple of block size. 


e Calculates a temporary value Ky = E,(0). 

e If MSB(K,) = 0, then K, = SL1(K,), else K, = SL1(K) ® C, where SL"(x) is left shift of 
the argument x by n bits and C is a certain constant that depends only on b. 

e If MSB(K,) = 0, then K, = SL1(K,), else K, = SL1(K,) @ C. 


For example, suppose b = 4, C = (0011),, and Ky = E,(0) = (0101),. Then K, = (1010), 
and K, = (0100), @ (0011), = (0111),. Once the subkeys are generated, the CMAC tag 
T is generated as shown in Figure 6.14. The input message is split into b-bit blocks 
M=M,||M,|l....,||My. If My is a complete block then apply K, as illustrated in 
Figure 6.14a. Else, pad M, to a complete block with “10,...,0,” and then apply K, as 
illustrated in Figure 6.14b. For i = 1 to N — 1, calculate the output of each block operation 
as follows: 


c; = Ex (¢,_,; ® M)). (6.5) 


The output of the final block is cy, = Ex (Cy_; ® My). The CMAC tag T is the ! most signif- 
icant bits of cy, i.e. T = MSB, (cy). 


6.3 Digital Signature and Authentication 


Message authentication is a procedure to verify that the received message comes from the 
alleged source and have not been altered. It does not protect sender and receiver against 
each other. Certain mechanisms must be provided to protect the two parties against each 
other. Digital signature provides the security capability to achieve such a goal. Thus, a digital 
signature function includes the authentication function with additional capabilities. 
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6.3.1 Digital Signature Properties 


A digital signature needs to provide the ability to verify sender and time of signature, the 
ability to authenticate message contents, and the ability to be verified by third parties to 
resolve disputes. Therefore, a digital signature must have the following properties: 


e Must depend on the message signed; 

e Must use information unique to sender to prevent both forgery and denial; 

e Must be relatively easy to produce; 

e Must verify the sender and the time of the signature; 

e Must authenticate the contents at the time of the signature; 

e Must be verifiable by third parties, to resolve disputes. 

A secure hash function is usually embedded in a digital signature scheme to meet the 
requirements. A variety of approaches have been proposed for the digital signature func- 
tion. These approaches fall into two categories: direct digital signatures and arbitrated digital 
signature. 

Direct digital signatures involve only the communicating parties with direct appli- 
cation of public-key algorithms. For sender X and receiver Y, a digital signature may be 
formed by encrypting the entire message M with the sender’s private key Pr,, or by encrypt- 
ing a hash value of the message H (M) with the sender’s private key. Confidentiality can 
be provided by further encrypting the entire message plus signature using either public 
or symmetric key schemes. A message with message authentication, digital signature, and 
confidentiality can be created as follows: 


X > Y : C=E(Pu,,[MIlE (Pr,,H(M)))). 


The digital signature E(Pr,,, H(M)) is applied to the hash value only. It is important to per- 
form the digital signature function first and then an outer confidentiality function. In case 
of dispute, a third party must view the message and its signature. A direct digital signature 
depends on the security of the sender’s private key. It may have issues if a private key is 
compromised thus signatures can be forged. As a counter measurement, it is necessary to 
add time stamps and timely key revocation schemes. 

Arbitrated digital signatures can address the problems that are associated with direct 
digital signatures. An arbiter is a third party that is independent of both sender and receiver. 
An arbiter must also be a trusted party so that the mechanism can work properly. A variety 
of arrangements are available to apply arbitrated digital signatures, with either private or 
public key algorithms. Let X, Y, and A be sender, receiver, and arbiter, respectively. The fol- 
lowing arrangements apply private key algorithm (with pre-shared secret keys K,,, between 
X and A, and Kya between Y and A): 


X 7A: MIE(K,,, UD xllH(M))), 
AY: EK, 


a UDx||M||E(K,,, UD x||H(™) IIT), 


where T is a time stamp. Note that message M is revealed to the arbiter in this arrangement. 
Another private key based arrangement without revealing the message is as follows: 


X >A: IDx||E(Ky,M)||E(Kyq, UD ||H(E(Kyy, M)))), 
A>Y: E(K, 


a UD ||E(K,,, M)IN|B(K,, UD |H(E(Ky,M))IIT). 
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Note that this arrangement requires another secret key K,, shared between sender and 
receiver. Public key encryption can also be applied to arbitrated digital signatures. The fol- 
lowing arrangement is based on public key encryption and message is not revealed to the 
arbiter. 


X >A: ID,||E(Pr,, | Dy l|E(Puy, E(Pry, M)))), 
A+ Y : E(Pry,UDx||E(Pu,, E(Pry,M))IIT), 


where Pu,, and Pr,, are public and private keys of entity n, respectively. 


6.3.2 Digital Signature Standard and Algorithm 


The Digital Signature Standard (DSS) was originally proposed in 1991 and revised in 1993 
in response to public feedback concerning the security of the scheme. There was a further 
minor revision in 1996. In 2000, an expanded version of the standard was issued as NIST 
FIPS 186-2, which incorporates digital signature algorithms based on RSA and on elliptic 
curve cryptography. The DSS makes use of the SHA, and presents a new digital signature 
technique, the Digital Signature Algorithm (DSA). DSA is the US government approved 
signature scheme, which is designed to provide strong signatures without allowing easy use 
for encryption. As discussed in the last chapter, RSA can be applied as a digital signature 
approach, as shown in Figure 6.15. The RSA creates digital signature by encrypting the hash 
value with the sender’s private key. The verification is done by decrypting the signature 
with the sender’s public key. The DSA digital signature approach is different from the RSA 
approach in how the message signature is generated and verified. 

The DSA signature scheme is superior to the RSA approach in two ways. First, the DSA 
signature creates a 320-bit signature, which is much smaller than the 1024-bit result of RSA. 
Second, the DSA approach is faster due to its fast computation (mostly done by modular 
function over a 160-bit number). Nevertheless, unlike RSA, the DSA approach cannot be 
used for encryption or key exchange. Although it is a public key technique. The DSA is 
based on the difficulty of computing discrete logarithms, and is based on a scheme origi- 
nally presented by ElGamal and Schnorr. As shown in Figure 6.16, DSA signature uses the 
message hash value, global public values, private key and random value k to create a 2 part 
signature (s,r). Verification is done by computing a function of the hash value, public key, 
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Figure 6.15 RSA approach for digital signature. 
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Figure 6.16 DSS approach for digital signature. 


(s,r), to generate a result that is compared with r. The details are given as follows. A set of 
global parameters (p, q, g) is chosen, where p is a large prime number that is 2’! < p < 2°. 
Lis between 512 and 1024 bits and is a multiple of 64. And q is a 160-bit prime number that 
is a prime factor of (p — 1). g is chosen as g = h®-)/q, where h < p — 1, h®-)/4(mod p) > 1. 
With the global parameters distributed to all DSA users, each user chooses a random private 
key x, x < q and computes their public key y = g*(mod p). To create a digital signature, the 
sender first generates a random signature key k, k < q. This value will be destroyed after 
use, and never be reused. The sender then computes the signature pair (s, r) as follows: 


r = (g“(mod p)) (mod q), (6.6) 
and 

s=(k-!-H(M)+x-r) (mod q). (6.7) 
On the receiving side, the receiver verifies the signature as follows: 

w =sl(mod q), 

u, = (H(M) - w) (mod q), 

u, = (r- w) (mod q), 

v = (g" - y2(mod p)) (mod q). 


Ifv matches r then the signature is verified. 


6.3.3. The Elliptic Curve Digital Signature Algorithm 


The Elliptic Curve Digital Signature Standard (ECDSA) was a public key cryptography 
developed for the American National Standards Institute by the Accredited Standards 
Committee on Financial Services, X9 (ANSI X9.62) [42]. The Elliptic Curve Digital 
Signature Standard (ECDSA) is the elliptic curve analog of DSA [43]. 


6.3.3.1 ECDSA Domain Parameters 

ECDSA domain parameters are common to a group of users and may be public. The domain 
parameters are the foundation to generate public/private key pairs required for digital signa- 
ture generation and verification. Specifically, domain parameters for ECDSA are of the form 
(q, FR, a,b, G,n, h), where q is the field size; FR is an indication of the basis used; a and b 
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Table 6.4 ECDSA security parameters. 


Bit length of n Maximum cofactor h 
160-223 Vid 
224-255 vhs 
256-383 20° 
384-511 2 
>512 ph 


are two field elements that define the equation of the curve, Gis a base point of prime order 
on the curve (i.e. G = (Xg, Yg)), n is the order of the point G, and h is the cofactor (which 
is equal to the order of the curve divided by n). A domain parameter seed is optional if the 
elliptic curve is randomly generated in a verifiable fashion. ECDSA specifies five ranges for 
n and maximum sizes for the corresponding cofactor h, as listed in Table 6.4. Two arith- 
metic fields are defined for curves in ECDSA. One is the prime finite field GF, where p is 
an odd prime number, and the other is the binary finite field GF yn. 


Recommended Curves over Binary Fields: 
E: y4xu=x34+x7? +5, (6.8) 


for each field degree m, where the cofactor is h = 2. Alternatively, the recommended 
Koblitz curves have the form: 


E,: y+uy=x +ax’ +1, (6.9) 


where a = 0 or 1, the cofactor ish = 2 ifa=1,andh=4ifa=0. 


Recommended Curves over Prime Fields: 
E: y=x3-3x+b (mod p), (6.10) 


for each prime p of prime order n. The selection a = —3 for the coefficient of x was 
made for reasons of efficiency, as explained in IEEE Std 1363-2000 [44]. 


6.3.3.2 ECDSA Private/Public Keys 
An ECDSA key pair consists of a private key d and a public key Q that is associated with 
a specific set of ECDSA domain parameters; d, Q and the domain parameters are mathe- 
matically related to each other. Two methods (i.e. Algorithms 6.1 and 6.2) can be used to 
generate a digital signature key pair (d, Q) and can be generated for a set of domain param- 
eters (q, FR, a,b, G,n,h). 

In comparison, Algorithm 6.1 requires 64 more bits for d so that bias produced by the 
mod function is negligible. Note that if N is invalid, or the bit string b cannot satisfy the 
required security strength, the algorithms cannot generate the Key pair. 
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6.3.3.3. ECDSA Digital Signature Generation 
Given a message m, an ECDSA digital signature (r, s) is generated as follows: 


(1) Select a random integer k,1 <k<n-1. 
(2) Compute kG = (x,,y,) and convert x, to an integer c, through Algorithm 6.2. 
(3) Compute r as follows: 


r=xX, mod nv. (6.11) 


(If r = 0, select another k and start again.) 

(4) Compute the multiplicative inverse k-' mod n. 

(5) Compute the hash value of m through a hash function specified by NIST FIPS 180 [45] 
and convert the result to an integer e. The security strength of the chosen hash function 
shall meet or exceed the security strength required for the digital signature process. 

(6) Compute s as follows: 


s=k-\e+dr) mod n. (6.12) 


(If s = 0, start again.) 
(7) Return the ECDSA digital signature (r,s). 


Algorithm 6.1 ECDSA key pair generation using extra random bits 


Input: Domain parameters (q, FR, a,b, G,n, h); 
Output: ECDSA key pair (d, Q); 
N < length of (n); 
b <— arandom string of (N + 64) bits 
Convert bit string b to the non-negative integer c according to Algorithm 6.3; 
d < (cmod (n—1))) +1; 
Q<dG; 
Return (d, Q); 


Algorithm 6.2 ECDSA key pair generation by testing candidates 


Input: Domain parameters (q, FR, a,b, G,n, h); 
Output: ECDSA key pair (d, Q); 
N < length of (n); 
while c > n-—2do 
b < arandom string of N bits 
Convert bit string b to the non-negative integer c according to Algorithm 6.3; 
end while 
d<«c+l1; 
Q<dG; 
Return (d, Q); 
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Algorithm 6.3 Conversion of a bit string to an integer 


Input: An n-bit sequence {b,,b,,...,b,} 

Output: Integer C; 
Let {b,,b,,...,b,,} be the bits of b from leftmost to rightmost; 
C= Dei 2 "bss 
Return C; 


6.3.3.4 ECDSA Digital Signature Verification 
An ECDSA digital signature (r, s) of message m is verified as follows: 


(1) Verify that both r and s are positive integers smaller than n. 

(2) Compute the hash value of m and convert the result to an integer e. 

(3) Compute w = s~! mod n; 

(4) Compute u, = ew mod n and u, = rwmod n. 

(5) Compute X = u,G + u,Q. (Reject the signature if X = 0.) 

(6) Convert the x-coordinate x, of X to an integer c, , and compute v as follows: 


v=c, modn. (6.13) 
(7) Ifv =r, accept the signature. 


Proof that signature verification works: Given that s = k~!(e + dr) mod n, it can be 
seen that, 


k=slet+dr=s'e+s'rd=we+wrd=u,+u,d mod n. 
Thus 
X =u,G+u,Q = (u, +u,d)G = kG, 


and v = r is required. 


6.3.4 Authentication Protocols 


Authentication is a security feature that convince parties of each other’s identity. Session 
key establishment and exchange often occur with an authentication process. An authen- 
tication may be one-way or mutual depending on the application scenarios. Whether the 
authentication is one-way or mutual, the key issues of authentication include confidential- 
ity and timeliness. That is to say, it is critical for authentication to protect session keys during 
the process (if applied), and be strong against replay attacks. Replay attacks are where a valid 
signed message is copied and later resent. Such replays, at worst, could allow an opponent 
to compromise a session key or successfully impersonate another party. At minimum, a 
successful replay can disrupt operations by presenting parties with messages that appear 
genuine but are not. Different techniques can be applied for authentication protocols to 
counter replay attacks. Possible choices are: 


e using sequence numbers: generally impractical since must remember last number used 
with every communicating party; 
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e using timestamps: needs synchronized clocks among all parties involved, which can be 
problematic; 

e using challenge/response: using unique, random, unpredictable nonce, but not suitable 
for connectionless applications because of handshake overhead. 


One kind of authentication protocols uses symmetric encryption. In general, a two-level 
hierarchy of symmetric encryption keys can be used to provide confidentiality for commu- 
nication in a distributed environment. One level involves master keys that are for each pair 
of users and a trusted Key Distribution Center (KDC). The KDC is responsible for gener- 
ating session keys, and for distributing those keys to the parties involved. The other level 
involves the session keys that enable direct communications among authenticated pair of 
parties. 

Needham-Schroeder Protocol is one example of two-level hierarchy based authenti- 
cation protocol. It is used by two parties A and B, who both trust a common KDC. But A 
and B do not trust each other, thus require authentication first. A and B share a secret key 
K, and K,, respectively, with the KDC. The KDC gives one part the information needed to 
establish a session key with the other. After authentication, A and B share a session key K,. 
The protocol operates as follows: 


A — KDC: ID,|\IDgIIN,. 

KDC > A : E(K,,[K,||[Dgl|N, |[E(K>, [K,|D4))). 
AB: E(K,,[K,||ID,). 
BoA: E(K,,N,), 
AB: E(K,,f(N,)). 


Nonces N, and N, are added to protect the authentication against replay attacks. 

Public key encryption can also be applied to authentication protocols. In this case, it is 
generally assumed that each of the two parties is in possession of the current public key of 
the other. A third party is involved, known as an Authentication Server (AS). The AS is also 
assumed to be a trusted party. 

Denning-Sacco authentication protocol is one example of public key based authentica- 
tion protocol. In this protocol, the AS only provides public-key certificates. The session key 
is chosen and encrypted by A; hence, there is no risk of exposure by the AS. The protocol 
operates as follows: 


AAS : ID,||IDz, 
AS > A: E(PR,,, ID4||PU,||TI|E(PR 
AB: E(PR,,.[ID4\|PU,||TI||E(PR 
|| E(PU,, E(PR,, [Kgl T)))). 


UDgl||PU,|IT))), 
UDg||PU,|IT 


as? ‘as? 


as? 


The timestamps T protect against replays of compromised keys. This protocol is compact 
but requires synchronization of clocks. 
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6.4 Key Management 


A slight touch of session key distribution has been given in the previous section of authen- 
tication protocols. Key management and distribution are complex topics. In this section, a 
general idea and some examples of key management schemes will be given. 


6.4.1 Key Distribution with Symmetric Key Encryptions 


A secret key must be shared between the two parties for symmetric encryption to work. 
Other features such as message authentication and digital signature may also depend on 
pre-shared keys. Those keys must be protected from an unauthorized access. Moreover, keys 
are more likely to be comprised after being used for a period of time. Therefore, frequent key 
changes are usually desirable to enhance the security. Once a key is generated or updated, 
it needs to be distributed to the two parties (e.g. A and B). Key distribution can be achieved 
in a number of ways: 


(1) Physical delivery from A to B: it is the simplest key distribution mechanism. However, 
it is only applicable when there is personal contact between recipient and key issuer. 

(2) A third party C selects and delivers a key to A and B: key is known to C. It is only 
applicable when C is trusted by both A and B. 

(3) Aand Bcan use a previous key to encrypt a new key: it is only applicable when a secret 
key has been shared between A and B, usually through one of the two ways mentioned 
earlier. This method suffers that if an attacker gains access to one key, then all subse- 
quent keys will be revealed. 

(4) A third party C relays a key between A and B: a new key is usually chosen by A or B. It 
is only applicable when A and B both have secure communications with a trusted third 
party C. 


If end-to-end encryption is provided at the network level, then a secret key is needed for 
every pair of hosts on the network that wish to communicate. If encryption is done at the 
application level, then a key is needed for every pair of users that require communications. 
For N hosts/users, the number of required symmetric keys is [N(N — 1)]/2, as illustrated in 
Figure 6.17. With a network that supports 10 000 application users, as many as 50 million 
keys may be required for application-level encryption. As number of communication parties 
grow, only option (4) (or variants of it) is a practical solution to the huge growth in number 
of keys potentially needed. One advantage of option (4) is that key hierarchy is applied to 
reduce the number of keys. In this scheme, a Key Distribution Center (KDC) is responsible 
for distributing keys to pairs of users that need communications. Each user must share a 
unique secret key with the KDC so that secure communications can be established between 
each user and the KDC. The unique secret keys are the first level of key hierarchy. A second 
level includes session keys that are used for the duration of a logical connection. More levels 
of keys may be applied based on different requirements. 

A typical key distribution scenario with key hierarchy works as follows: 


(1) A requests from the KDC a session key to protect a logical connection to B. The message 
includes the identities of A and B and a unique nonce Nj. 
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Figure 6.17 Number of keys required for different number of end points. 


(2) The KDC responds with a message encrypted using K, that includes a one-time session 
key K, to be used for the session, the original request message to enable A to match 
response with appropriate request, and info for B. 

(3) A stores the session key for use in the upcoming session and forwards to B the informa- 
tion from the KDC for B, namely, E(K,, [K,||ID,,]). Because this information is encrypted 
with K,, itis protected from eavesdropping. At this point, a session key has been securely 
delivered to A and B, and they may begin their protected communications. Two addi- 
tional steps are desirable in the following. 

(4) Using the new session key K, for encryption, B sends a nonce N, to A. 

(5) Also using K,, A responds with f(N2), where f is a function that performs some trans- 
formation on N, (e.g. adding one). These steps assure B that the original message it 
received (step 3) was not a replay. Note that the actual key distribution involves only 
steps 1 through 3 but that steps 4 and 5, as well as 3, perform an authentication function. 


For very large networks, a single KDC may not be sufficient. One may set up a hierar- 
chy of KDCs where each KDC handles its own local domain. For communications among 
users within the same local domain, the local KDC is responsible for key distribution. If 
two entities in different domains desire a shared key, then the corresponding local KDCs 
can communicate through a (hierarchy of) global KDC(s). 


6.4.2 Symmetric Key Distribution Using Public Key Cryptosystems 


A public key cryptosystem can be applied to encrypt secret keys for distribution. Although 
public key cryptosystems are also based on some pre-shared parameters (including public 
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Initiator A ResponderB Figure 6.18 Key distribution with confidentiality 
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keys), revealing those parameters is more controllable than revealing secret keys that are 
used in symmetric encryptions. A direct application of a public key cryptosystem is as fol- 
lows: assuming A and B are communicating parties that have exchanged public keys Pu, 
and Pu,. ID, and ID, are the identities of A and B, respectively. Let A initiate the key dis- 
tribution process, and let B choose the session key K,. Detailed processes are illustrated in 
Figure 6.18. The first three messages are for mutual authentication. Nonce N, is applied in 
the first message for A to authenticate B. B replies an encrypted N, ||N, to identify itself as 
well asking authentication of A. A replies an encrypted N, in the third message and com- 
pletes the authentication. In the last message, B chooses a session key K,, encrypts it and also 
signs it before transmitting to A. The result is that this scheme ensures both confidentiality 
and authentication in the exchange of a secret key. 

A public-key cryptosystem can also be applied in a hybrid way. Session keys are chosen 
and distributed by a KDC. The KDC shares a secret master key that is used for session key 
distribution with each user. A public key scheme is used to distribute the master keys in 
the beginning of the distribution process. The advantage of the hybrid scheme is that, for a 
configuration with a single KDC serving a widely distributed set of users, the master keys 
can be more efficiently and securely distributed. 


6.4.3 Distribution of Public Keys 


In public key cryptosystems, one problem is that the public key is public, hence any par- 
ticipant can send his or her public key to any other participant or broadcast the Key to the 
community. Its major weakness is forgery, anyone can create a key claiming to be someone 
else and broadcast it. Several techniques have been proposed for the distribution of public 
keys, which can mostly be grouped into the categories as follows. 


e Public announcement: Users announce public keys to recipients or broadcast to commu- 
nity at large. The major weakness for this category of method is forgery. Anyone can 
create a key claiming to be someone else and broadcast it. Until the forgery is discovered 
they can masquerade as the claimed user. 

e Using publicly available directory: A greater degree of security can be achieved by main- 
taining a publicly available dynamic directory of public keys. Maintenance and distribu- 
tion of the public directory would have to be the responsibility of some trusted entity or 
organization. Participants register securely with a directory, they can replace keys at any 
time. The directory is periodically published. This scheme is clearly more secure than 
individual public announcements but still has vulnerabilities to tampering or forgery. 


6.4 Key Management | 125 


Initiator A Public-key authority Responder B 
Request ||T, 
I id | 
(E(Praut ns [Pup |iRequest|lTy)) | | 
E(Pup, [/DalIN4]) 
tg Request ||To 
| 1E(Praut ny (PualiRequest|ITo)) 
4 E(Puay [IN IN) 
E(Pup, No) 
Figure 6.19 Public key authority. 
inibieter m Certificate authority (CA) Responder B 
| Pug | 
t > P 1 
1 \ U, 1 
“ - 
(Caz E(Prautiy (Ts lDallPu)) | | 
| Cg = E(Praut n» [Tell/DgllPupl) 
| Ca | ¢ 
' > 
' Cp 


« 
Figure 6.20 Public-key certificates. 


e Using public key authority: a public key authority is applied to provide tighter control 
over the distribution of public keys from the directory for stronger security. As shown in 
Figure 6.19, participants (e.g. A and B) must know the public key Pu,,,,, for the public 
key authority. To request a public key, the initiator A contacts directly to the public key 
authority. No direct contact with B is needed to obtain its public key. The final two steps 
are for the mutual authentication between A and B. Nonetheless, some drawbacks exist 
in this scenario. First, the public key authority becomes a bottleneck in the system, for a 
user must appeal to the authority for a public key for every other user that it wishes to 
contact. Second, the directory of names and public keys is still vulnerable to tampering. 

e Using public key certificates: a public key certificate binds an identity to public key, with 
all contents signed by a trusted Certificate Authority (CA). By using certificates, partici- 
pants are able to exchange keys without contacting a public-key authority. As shown in 
Figure 6.20, participants (e.g. A and B) can present their public key to the CA, and obtain 
a certificate. When A needs to fetch the public key of B, B will present its certificate C, 
to A. A verifies the certificate by way of the attached trusted signature from the CA. A 
participant can also convey its key information to another by transmitting its certificate. 
Other participant can verify that the certificate was created by the authority, provided 
that they know its public key. 
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6.4.4 Public Key Infrastructure 


RFC 2822 (Internet Message Format) defines public-key infrastructure (PKI) as the set 
of hardware, software, people, policies, and procedures needed to create, manage, store, 
distribute, and revoke digital certificates based on asymmetric cryptography (public key 
cryptography) [46]. The principal of PKI is to enable secure, convenient, and efficient acqui- 
sition of public keys. Figure 6.21 shows interrelationships among the elements of public key 
infrastructure. User is a generic term used to denote entities that are in the subject field of 
a public key certificate, such as end users, servers, routers, etc. Certificate authority is the 
issuer of certificates and certificate revocation lists in most cases. A CA may also support 
a variety of administrative functions. For example, a user needs to get registered with CA 
to create its certificate. Registration authority is an optional component that performs a 
number of administrative functions. A user may also register itself with the RA to get its 
certificate. CRL issuer is an optional component that publishes CRLs. Repository is the 
“directory” for storing certificates and CRLs so that they can be retrieved by users. 


6.4.5 X.509 Authentication Service 


X.509 is a standard defined for public key infrastructure certificate and certificate revoca- 
tion list profile [47]. The standard was subsequently revised to address some of the security 
concerns. The second version was issued in 1993. A third version was issued in 1995 and 
revised in 2000. The X.509 standard has been universally accepted for formatting public-key 
certificates. X.509 certificates are widely used in network security applications, including 
IP security, secure sockets layer (SSL), secure electronic transactions (SET), and S/MIME. 
X.509 defines both a framework for the authentication services by the X.500 directory, and 
alternative authentication protocols based on the use of public key certificates. Public key 
cryptography and digital signatures are the foundation of X.509. There is no dictated algo- 
rithm in X.509 standard, nonetheless RSA is recommended for public key encryption. 

The format of X.509 certificate and revocation list are shown in Figure 6.22. The heart of 
the X.509 scheme is the public-key certificate associated with each user. The CA signs the 
certificate for user A with its private key as follows: 


CA <A >= CA(V,SN, AI, CA, TA, UCA, A, UA, Ap), 


where A is the participant, V is the version number, SN is the serial number that is unique 
within CA to identify a certificate, AI is the signature algorithm identifier, CA is the issuer’s 
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Figure 6.22 X.509 Certificate and revocation list. (a) X.509 certificate. (b) Certificate revocation List. 


name, TA is the valid period, UCA is the optional unique identifier of the CA, A is the subject 
name, UA is the optional unique identifier of the user A, and Ap includes the subject’s public 
key information. UCA and UA are only applied in the second and third versions of X.509. 
Extensions only exist for the third version of X.509. 

User certificates generated by a CA have the characteristics that any user with access to 
the public key of the CA can verify the user public key that was certified, and no party other 
than the CA can modify the certificate without this being detected. Because certificates are 
unforgeable, they can be placed in a directory without the need for the directory to make 
special efforts to protect them. X.509 version 3 includes a number of optional extensions. 
Each extension consists of an extension identifier, a criticality indicator, and an extension 
value. The certificate extensions fall into three main categories: 


e Key and policy information: convey additional information about the subject and issuer 
keys, plus indicators of certificate policy. A certificate policy is a named set of rules that 
indicates the applicability of a certificate to a particular community and/or class of appli- 
cation with common security requirements. 

e Subject and issuer attributes: support alternative names, in alternative formats, for a cer- 
tificate subject or certificate issuer and can convey additional information about the cer- 
tificate subject; e.g. postal address, email address, or picture image. 

e Certification path constraints: allow constraint specifications to be included in certificates 
issued for CA’s by other CA’s that may restrict the types of certificates that can be issued 
by the subject CA or that may occur subsequently in a certification chain. 
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As mentioned earlier, a certificate includes a period of validity, i.e. TA. Typically a new 
certificate is issued just before the expiration of the old one. In addition, it may be desirable 
on occasion to revoke a certificate before it expires. To support this, each CA must maintain 
a list consisting of all revoked but not expired certificates issued by that CA, known as the 
Certificate Revocation List (CRL). Each CRL posted to the directory is signed by the issuer 
and includes the issuer’s name, the date the list was created, the date the next CRL is sched- 
uled to be issued, and an entry for each revoked certificate. Each entry consists of the serial 
number of a certificate and revocation date for that certificate. Because serial numbers are 
unique within a CA, the serial number is sufficient to identify the certificate. When a user 
receives a certificate in a message, the user must determine whether the certificate has been 
revoked, by checking the directory CRL each time a certificate is received, this often does 
not happen in practice. 


6.5 Summary 


In this chapter, message authentication has been discussed at first. MAC and hash func- 
tions are two widely used mechanisms to provide message authentication. The difference 
is that an MAC is keyed and a hash function has no secret key. Hash functions can be used 
as the core of an MAC, e.g. HMAC. The security of HMAC depends on the hash function 
that is applied. Besides message authentication, digital signature has been discussed in this 
chapter. A digital signature is an algorithm or scheme for verifying the authenticity of digi- 
tal messages or information. In the last, key management has been briefly discussed in this 
chapter. Both symmetric and asymmetric key distributions have been illustrated. Hierar- 
chical key distribution mechanisms are needed when a communication system has large 
number of users. Both symmetric and public key mechanisms are applied in key distribu- 
tion mechanisms, serving different purposes. 
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Security for Wireless Local Area Networks 


7 
WLAN Security 


Wireless Local Area Network (WLAN) isa wireless computer network within a limited area. 
Typical deployment of a WLAN can be found in a hotel, a school building, and many other 
places. Because of the wireless communication method, WLAN enables flexible access and 
mobility within its transmission coverage. Meanwhile, WLAN is more vulnerable to attacks 
than wired connections due to the lack of physical connections. In this chapter, the security 
solutions of WLAN technologies are introduced. 


7.1 Introduction to WLAN 


The most popular modern WLAN technology is Wi-Fi, which is a trademark of the Wi-Fi 
Alliance [48]. The core technology of Wi-Fi is based on IEEE 802.11 standards [49]. Wi-Fi 
is almost the de facto feature for all devices and appliances that has communication 
capability, such as smart phones, laptop computers, tablets, etc. Even legacy devices have 
been upgraded with Wi-Fi capability, e.g. smart TVs, smart watches, smart refrigerators, 
etc. Without loss of generality, WLAN and Wi-Fi will be used interchangeably in the rest 
of this chapter. 


7.1.1 Wi-Fi Operating Modes 


Wi-Fi supports infrastructure based mode and ad-hoc mode. An infrastructure based Wi-Fi 
typically comprises of an Access Point (AP) and several wireless stations (STAs). An AP is 
normally a wireless router, which is the base station of a WLAN. An STA is a Wi-Fi enabled 
device, such as a smart phone or a laptop computer. The process of joining a Wi-Fi network 
is illustrated in Figure 7.1. The STA initiates the process by sending an association request to 
the AP. The AP then runs an authentication process. An association response is sent back to 
the STA if the authentication is successful. In an infrastructure based Wi-Fi network, all 
STAs only communicate with the AP. The AP constantly broadcasts beacon frames to man- 
age the network. Beacon frames include MAC header, timestamp, beacon interval, capabil- 
ity information, service set identifier (SSID), supported data rates, radio parameters, etc. 
There are two types of communications in an infrastructure based Wi-Fi network: one 
is to connect an STA to the external network (e.g. Internet), and the other is to connect an 
STA to another STA within the same Wi-Fi network. As shown in Figure 7.2, in both types 
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Figure 7.2, Communication flows and Internet connections in a WLAN. 


of communications, the STA transmits data to the AP first. Then the AP relays the data to the 
external network or to another STA depending on request. Wi-Fi ad-hoc mode supports 
direct communications between the two Wi-Fi devices without a pre-deployed infrastruc- 
ture, for example, using a laptop or a smart phone as a Wi-Fi hotspot to create an ad-hoc 
Wi-Fi network. Wi-Fi Direct is a certification mark by the Wi-Fi Alliance for devices sup- 
porting a technology that enables ad-hoc Wi-Fi [50]. Wi-Fi Direct can be used to share 
content, synchronize data, play audio and video, and many other things that may or may 
not require external network connection. 


7.1.2. Challenges in WLAN Security 


WLAN defined by the IEEE 802.11 standards focuses on PHY layer and MAC layer pro- 
tocols. Unfortunately, security was not well considered by the original IEEE standards. 


7.2 Evolution of WLAN Security 


The security discussion of WLAN will be focused on MAC layer issues in the rest of this 
chapter. Readers are recommended to consult IPSec and TLS/SSL for security design at 
network layer and transport layer. In the lower layers, providing WLAN security is harder 
than providing security in wired network for several reasons as indicated in the following. 


e Users share the open medium in a WLAN while a physical break is required to access the 
medium for a wired network. 

e Users are roaming everywhere in a WLAN or between WLANS. It is harder to manage 
WLAN in a timely and secure manner. 

e Some APs may be rogue ones that can hardly be identified by users. 

e Some of the existing security solutions for WLAN have flaws. 


7.1.3 Tricks that Fail to Protect WLAN 


Many users are aware of the security issues in Wi-Fi. A few techniques have been adopted 
to secure a Wi-Fi network. However, some of them are virtually useless despite the convinc- 
ing description. For example, MAC authentication, where a MAC address filter is applied to 
the AP. On one hand, MAC addresses are transmitted in clear text over the air, thus can be 
easily captured. MAC addresses can also be easily cloned and defeated. On the other hand, 
it is extremely difficult to manage MAC filtering. Someone may disable Dynamic Host Con- 
figuration Protocol (DHCP) and force static IP addresses. However, IP schemes are easy to 
figure out since the IP addresses are sent over the air in clear text, similar to MAC addresses. 
Therefore, it is easy for an intruder to figure out an IP scheme and enter a static IP address. 
Another trick is SSID hiding. Unfortunately, an SSID is only hidden once from AP beacon 
suppression. There are four other SSIDs that are broadcast from an AP, i.e. probe request, 
probe response, association request, and re-association request. Moreover, an SSID must be 
transmitted in clear text as required by IEEE 802.11 standards, otherwise a Wi-Fi network 
cannot function properly. As a result, there is no such thing as hiding an SSID. Another 
misleading security method is antenna placement and signal suppression. While legitimate 
devices have power and antenna limitations set by authorities, hackers’ equipment can be 
much more powerful and versatile. For example, directional high-gain antennas can pick up 
a weak Wi-Fi signal from several kilometers away. Moreover, lowering the signal strength 
will cause more harm to legitimate users. We can see that all the trivial ways of protecting 
WLAN are useless. Therefore, serious cryptography schemes are needed to protect WLAN. 


7.2. Evolution of WLAN Security 


The evolution of WLAN security is summarized in Figure 7.3. The Wired Equivalent 
Privacy (WEP) was the first one proposed to secure WLAN. However, it was a total 
failure. IEEE 802.11 with authentication based on IEEE 802.1X standards was the next 
WLAN security. Because of the introduction of IEEE 802.1X standard, it provides a better 
authentication using RADIUS and EAP. However, the weakness of encryption and key 
management was not addressed in this security generation. The next stage of WLAN 
security is IEEE 802.11 with Wi-Fi Protected Access (WPA). WPA was intended by the 
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Figure 7.3. Evolution of Wi-Fi security. 


Wi-Fi Appliance as an intermediate measure to take the place of WEP while developing the 
full IEEE 802.11i standard. While not all, WPA implements much of the IEEE 802.11i stan- 
dard, including authentication with 802.1X, and some of the key management schemes. 
WPA can be implemented through firmware upgrade on legacy wireless network interface 
cards designed for WEP. However, the legacy APs before 2003 may not be upgraded to 
support WPA. TKIP is adopted for WPA for encryption. Although WPA still uses RC4 for 
encryption, it employs a per-packet key to prevent the types of attacks that compromised 
WEP. A better message integrity check mechanism called Michael is also applied in WPA 
to mitigate the weakness of CRC-32. 

IEEE 802.11i standard defines a later Wi-Fi security protocol. Although WPA is con- 
sidered secure temporarily, a better solution is still needed. WPA2 has replaced WPA 
starting from September 2004, and it is mandatory for all new Wi-Fi devices from 13 
March 2006 [51]. WPA2, while not being equivalent to IEEE 802.11i, implements all 
the mandatory elements. A major difference from WPA is the mandatory support of 
AES-Counter Mode with Cipher Block Chaining Message Authentication Code Protocol 
(AES-CCMP) in WPA2 [52]. Wi-Fi Alliance announced the release of WPA3 in January 
2018 with several security improvements over WPA2 [53]. WPA3 introduces three new 
capabilities for personal and enterprise Wi-Fi networks. Two of the features provide robust 
protection when a weak password is chosen. The other feature is a 192-bit security suite 


7.3 Wired Equivalent Privacy 


for higher security requirements. WPA3 is currently optional and retains interoperability 
with WPA2. In addition to WPA3, a new opportunistic wireless encryption (OWE) is also 
introduced in 2018 to enhance user privacy in open Wi-Fi networks. 


7.3. Wired Equivalent Privacy 


WEP is a set of security schemes introduced as part of the original IEEE 802.11 wireless 
networking standard in September 1998. WEP was intended to protect wireless confiden- 
tiality comparable with that of a traditional wired network. It is also intended to achieve 
some other security goals such as access control and data integrity. Although WEP has seri- 
ous flaws and thus all the security goals are failed, it still shares some of the major design 
of more advanced security schemes, especially its successor, the WPA. Detailed design and 
flaws of WEP will be discussed in the rest of Section 7.3. 


7.3.1 WEP Access Control 


WEP provides access control or authentication to WLAN. As shown in Figure 7.4, it requires 
an STA to be authenticated by the AP before association. The authentication process is 
based on a simple challenge-response protocol. WEP authentication process includes four 
handshakes as follows: 


(1) An STA sends authentication request to the AP. 
(2) The AP generates a random value r and sends it back to the STA as a challenge. 
(3) The STA encrypts r with the shared secret key k between STAs and the AP as 


E,(r) = r ® RCA(IV|Ik), (7.1) 


where @ is the XOR function; and IV is the pre-defined initial vector (IV). The 
encrypted message is the response to the AP. 

(4) The AP decrypts the response and verifies the value. If the decrypted value matches the 
challenge r, access is granted to the STA. Otherwise access is denied. 


The security of WEP authentication depends on the secret key k that is known to legiti- 
mate STAs and the AP, and the cryptographic encryption function. The core function of the 
encryption is RC4. 


Figure 7.4 WEP authentication process. 
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7.3.2 WEP Integrity and Confidentiality 


WEP utilizes Cyclic Redundancy Check (CRC) checksum to provide data integrity to WLAN 
transmissions. An overview of the message encryption process is shown in Figure 7.5. CRC 
value of a plaintext is computed and appended to the plaintext. Particularly, CRC-32 is 
chosen for WEP. The CRC checksum is named as Integrity Check Value (CV) in WEP 
security. Sender encrypts the entire frame of plaintext and ICV before transmission. At the 
receiver side, the ciphertext is decrypted first. The receiver then computes the ICV with 
the decrypted plaintext and compares it with the received ICV. If the two values match, the 
message is assumed to remain unchanged during transmission. WEP confidentiality is pro- 
vided by encrypting message before transmission. The cryptographic encryption algorithm 
is RC4 algorithm, the same as the one for WEP authentication process. 

The overview of WEP security is shown in Figure 7.6. Each seed input into RC4 consists 
of an IV and pre-shared secret key k. The IV is a 24-bit value generated by a pseudo-random 
number generating function. Note that the IV is changed for each message. Thus the seed 
is updated for each input message. With a given seed, RC4 produces a pseudo-random 
keystream. This keystream is XORed with the message and ICV to get the ciphertext. 
The same IV is also attached to the ciphertext being transmitted to the receiver. At the 
receiver side, pre-shared key is concatenated with IV to get the seed. The seed is input 
into RC4 to generate keystream. The functions of WEP security are almost symmetric at 
both the STA and the AP sides. Except that IV is generated at the AP side if the message is 
transmitted from the AP. 


7.3.3, WEP Key Management 


The IEEE WEP security standard defines two types of keys: default key and key mapping 
keys. 


Plaintext ICV 
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Figure 7.5 Overview of WEP encryption and message integrity. 
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Figure 7.6 The overview of WEP security. 


Figure 7.7 WEP key management— ©) ©) 
default key. 


ID: X | key: abc ID: Y | key: abc ID: Z| key: abc 


e Default key is also called shared key, group key, multicast key, or broadcast key. 
The default key is 40-bit or 104-bit long. It is static, thus it is manually installed in every 
STA and the AP. Each STA uses the same shared secret key, as shown in Figure 7.7. Ifa 
member leaves the group and should not have access to the network, then the default key 
needs to be changed for all devices simultaneously. In practice, WEP supports multiple 
default keys (i.e. four default keys) to help smooth the change of keys. When multiple 
default keys are applied, one of the keys currently used is called the active key. The active 
key is used to encrypt messages. A message header contains a key ID that allows the 
receiver to find out which key should be used to decrypt the message. 

e Key mapping key is also called individual key, per-station key, or unique key. As shown 
in Figure 7.8, each STA is assigned with a different key. The AP keeps a table of all the 
keys. Key mapping key is not generally implemented in WEP enabled devices. 


7.3.4 WEP Security Problems 


As mentioned earlier, WEP security has flaws in almost all of its security features and thus 
is not recommended for users. 
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7.3.4.1 Problems in WEP Access Control 

The four-way handshake access control used by WEP has three major drawbacks. First, 
authentication process in WEP is one-way only. While the STA is authenticated by the AP, 
the AP is trusted without being authenticated. Therefore, a rogue AP can be easily deployed 
if WEP security is applied. Second, the same shared secret key is used for both authentica- 
tion and encryption. More frequent usage increases the wear out of the shared key. Thirdly, 
if the STA is an attacker, then the keystream generated by RC4 can be revealed by simply 
calculating E,(r) @ r without knowing the pre-shared key. Once the keystream is recovered, 
the attacker can encrypt any subsequent challenges. In other words, a rogue AP can be set 
up by the attacker. 


7.3.4.2 Problems in WEP Integrity 
The problems of WEP integrity come from the weak cryptographic checksum computed 
by CRC-32. Due to the simplicity of CRC-32, it is highly possible that different messages 
result in the same ICV value for WEP integrity. In fact, a CRC checksum is generated by 
dividing message polynomial by a given CRC polynomial. The remainder is the CRC value. 
Assuming the CRC polynomial is 


P = PyX" + PpiX” +++* + PoXs 
it is easy to verify that 

(p, + p2) mod c = (p, mod c) + (p, mod c). (7.2) 
Therefore, calculating ICV is a linear function, where 

ICV (p + q) = ICV(p) + ICV (q). (7.3) 


If a CRC-32 valid plaintext is XORed with a ciphertext, the modified message will pass 
the ICV check after decryption. However, the original message has been altered, thus the 
integrity is not guaranteed in WEP security. 


7.3.4.3. Problems in WEP Confidentiality 

WEP relies on RC4 for confidentiality. Although RC4 is easy for software implementation, 
itis harder to guarantee security compared with block cipher. Particularly, implementation 
of RC4 in WEP has two major problems: IV reuse and weak key. IV reuse causes security 
issues in seed generation for RC4. A seed of RC4 in WEP consists of IV and the shared 
key. Because the shared key is not changed, the same seed is generated if the IV is reused. 
Since IVs are only 24 bits, there are only 2™ unique values. In other words, after around 
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Figure 7.9 An example of security issue from IV reuse. 


17 million messages, IVs are reused. For example, on a 11 Mbps transmission link, reuse of 

IVs will occur after 

1500 bytes 
packet 


8 bits 
1 byte 
A reused seed in RC4 results in the same keystream, which is used to encrypt and decrypt a 
message. If the same keystream is reused to encrypt two messages, then the message may be 
revealed without knowing the shared key or the IV. An example is illustrated in Figure 7.9. 
Assuming that either Plaintext 1 (01011010101) or Plaintext 2 (11100101010) is known to 
the attacker. The same IV is used to encrypt both Plaintext 1 and Plaintext 2. Without loss 
of generality, assuming the produced key stream is 10111110000, which is unknown to the 
attacker. Then Ciphertext 1 and Ciphertext 2 are 11100100101 and 01011011010, respec- 
tively. Ciphertext can be captured by the attacker. After computing an intermediate result 
Ciphertext 1 @ Ciphertext 2, the attacker can reveal Plaintext 1 with given Plaintext 2 or 
vice versa. 

Moreover, keys must be carefully chosen in WEP security. If a weak key is chosen, then 
the seed values input into RC4 algorithm result in a sequence of non-random output. In this 
case, the first few bytes of the output reveals too much information about the key. With some 
known plaintext, such as protocol preambles or fixed frames in a protocol, attackers can 
further exploit the weak IVs and to get the shared key. A weak key will further shorten the 
breaking time of the shared key because the number of sufficient messages to be captured 
can be much less than waiting for an IV reuse, only about one million messages due to the 
short length of IV. 


2*4 packets x 


/11 Mbps = 18,300 seconds = 5 hours. 


7.3.4.4 Problems in WEP Key Management 

WEP key management lacks a centralized controller, where all keys are manually dis- 
tributed. For a small scale WLAN with a few STAs, such as a home Wi-Fi, it is possible 
to manage keys. However, for a large scale WLAN that has a large number of STAs, such 
as an enterprise Wi-Fi, it is difficult to change security keys. Nonetheless, since a single 
set of keys is shared by all the STAs and the AP, frequent change of keys is necessary. 
For example, if an employee quits the job, then the security key needs update to prevent 
disclosure. Moreover, if default key mode is used in WEP, STAs in the same WLAN can 
decrypt each other’s messages since the key is also the master key. 
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7.3.5 Possible WEP Security Enhancement 


Security of WEP can be enhanced with some minor improvements of the scheme. To avoid 
IV reuse, longer ICV space shall be used. If 48-bit IV is applied, then an IV reuse is almost 
impossible. Moreover, instead of transmitting IV in plaintext, it would be a better protec- 
tion if a hashed value of IV is applied. To avoid a weak key, one can filter out such weak 
keys and use other keys instead, or one may discard the first 256 outputs of RC4 algorithm 
so that it is more difficult for an attacker to observe the correlation between the input and 
the output of RC4 algorithm. Other kinds of protection may also be added to WEP, e.g. fire- 
wall and Virtual Private Network (VPN). However, those minor improvements can only 
mitigate the attacks to WEP. Even with those improvements, WEP is by no means a robust 
security scheme for WLAN. Although WEP is still available in most APs, it is recommended 
to avoid using WEP to protect WLANs. A more secure protection (i.e. the IEEE 802.11i stan- 
dard) is recommended. The IEEE 802.11i standard depends on the IEEE 802.1X standard. 
An overview of IEEE 802.1X is presented in Section 7.4. 


7.4 IEEE 802.1X Authentication Model 


IEEE 802.1X standard (interchangeable with 802.1X hereafter for simplicity) is part of the 
IEEE 802.1 group of networking protocols [54]. It is defined for Port-based Network Access 
Control (PNAC). IEEE 802.1X provides an authentication mechanism to devices that are to 
attach to an LAN or a WLAN. 


74.1 An Overview of IEEE 802.1X 


IEEE 802.1X standard was originally defined for IEEE 802.3 Ethernet in 2001. It defines 
the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802 standard, 
which is also known as EAPoL (EAP over LAN). In 2004, EAPoL was clarified to suit IEEE 
802.11 wireless and fiber distributed data interface in IEEE 802.1X. IEEE 802.1X authen- 
tication model involves three parties: a supplicant, an authenticator, and an authentication 
server, as shown in Figure 7.10. 
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Figure 7.10 |EEE 802.1X authentication model. 
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e The supplicant is a client device that wishes to get access to the network (i.e. an LAN or 
a WLAN). For instance, a supplicant can be a desktop computer in an LAN or a smart 
phone in a WLAN. The authenticator is a network device, such as an Ethernet switch 
in an LAN or a wireless AP in a WLAN that has direct communication links with the 
supplicants. 

e The authenticator controls the security access to a protected network. A supplicant 
is not allowed to access the protected side of the network (e.g. Internet or enterprise 
database) through the authenticator before the identity of the supplicant is validated and 
authorized. 

e The authentication server is a host that supports Remote Authentication Dial In User 
Service (RADIUS) and EAP protocols. 


In IEEE 802.1X standard, a supplicant requests access by providing credentials, such as 
user name/password or a digital certificate to the authenticator. The credentials are for- 
warded to the authentication server by the authenticator for verification. The supplicant 
will be allowed to access the protected side of the network if the credentials are verified 
by the authenticator server. Once the credentials are verified, the supplicant can access the 
protected resources through the authenticator without involving the authentication server. 


7.4.2 Protocols in IEEE 802.1X 


A summary of the IEEE 802.1x protocol architecture for WLAN is shown in Figure 7.11. 
Major protocols in 802.1X include EAP, EAPoL, and RADIUS. 

EAP (RFC 3748) is an authentication framework without a specific authentication 
mechanism [55]. EAP is designed to provide some common functions and negotiation 
of authentication methods transport the messages of actual authentication protocols 
(e.g. TLS’ Transport Layer Security). There are several EAP methods defined for IEEE 
802.11 WLAN, including EAP-TLS (RFC 2716) [56], EAP-TTLS, PEAP, and EAP-SIM. 
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Figure 7.141 Summary of the IEEE 802.1X protocol architecture for WLAN. 
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Table 7.1 EAP messages. 


Message Description 


EAP request It carries messages from the supplicant to the authentication server. 


EAP response __ It carries messages from the authentication server to the supplicant. 


EAP success It signals successful authentication. 
EAP failure It signals authentication failure. 
Octets: 12 2 1 1 2 Variable | 4 
MAC Protocol Protocol Packet |Packet body} Packet 
; FCS 
header type version type length body 


Figure 7.12 EAPoL frame format. 


EAP includes four types of messages, as described in Table 7.1. In IEEE 802.1X, although 
transmitting all the EAP messages, an authenticator does not understand what is inside 
the EAP messages, it recognizes only EAP success and failure. 

EAPOL is designed for IEEE 802.1X to give a generic network sign-on to access network 
resources. EAPoL is used to encapsulate EAP messages into LAN protocols (e.g. Ethernet), 
and to carry EAP messages between supplicants and the authenticator. The EAPoL frame 
format is shown in Figure 7.12. Each EAPoL frame includes 12-byte MAC header, 2-byte 
Ethernet type, 1-byte version, 1-byte packet type, 2-byte packet body length, variable length 
depending on packet body, and 4-byte frame check sequence. 

RADIUS (RFC 2865-2869, RFC 2548) is a networking protocol that provides centralized 
authentication, authorization, and accounting management for users who connect and use 
a network service. RADIUS is used to carry EAP messages between the authenticator and 
the authentication server in IEEE 802.1X standard. RADIUS utilizes MS-MPPE-Recv-Key 
attribute to transport the session key from the authentication server to the authenticator. 
The format of the MS-MPPE-Recv-Key attribute is shown in Figure 7.13. In IEEE 802.11i, 
RADIUS is mandated by WPA and is optional for Robust Security Network (RSN). 


The MS-MPPE-Recv-Key attribute contains a session key for encrypting packets 
received by the NAS from the remote host by the Microsoft Point-to-Point Encryption 
Protocol (MPPE) [57]. An MS-MPPE-Recv-Key attribute frame contains a 1-byte Vendor 
type, 1-byte Vendor length, 2-byte Salt and a variable size (in the even multiple of 16) 
of String. The Salt field is used to ensure the uniqueness of the keys used to encrypt 
each of the encrypted attributes. The String field consists of the Key-length, Key 
sub-fields, and the optional Padding sub-field. The actual encryption key is contained 
in the Key sub-field. The Padding sub-field is presented when the combined Length of 
the unencrypted Key-length and Key sub-fields are not an even multiple of 16. The 
String field must be encrypted prior to transmission. 


Octets: 1 1 
Vendor type | Vendor length 


: attribute format. 
Salt String 


2 | Variable Figure 7.13 MS-MPPE-Recv-Key 
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7.4.3 Mapping the IEEE 802.1X model to WLAN 


IEEE 802.1X is not defined specifically for WLAN. Nonetheless, it is easy to map IEEE 
802.1X model to WLAN. 


e Supplicant > Mobile device (STA) 

e Authenticator > Access point (AP) 

e Authentication server — Server application running on the AP 

e Port > Logical state implemented in software in the AP 

In order to apply IEEE 802.1X in IEEE 802.11i, some more features need to be added. 
First, a successful authentication not only switches on the port for the supplicant, but also 
exchanges a session key between the supplicant and the authentication server. Second, the 
session key is sent to the AP in a secure way. In other words, there is a shared key between 
the AP and the authentication server. In practice, this shared key is usually set up manually. 


7.5 IEEE 802.11i Standard 


Despite of being the first security protocol for IEEE 802.11, WEP is a total failure. After the 
collapse of WEP, the IEEE started to develop a new security architecture, which is stan- 
dardized as IEEE 802.11i [58]. The IEEE 802.11: standard defines two security protocols for 
WLAN, widely known as WPA and Wi-Fi Protected Access II (WPA2). 


7.5.1 Overview of IEEE 802.11i 


Comparing with WEP, the access control model of IEEE 802.11i is based on IEEE 802.1X. 
It has a more flexible authentication framework based on EAP. Thus the authentication 
in IEEE 802.11i can be based on strong protocols (e.g. TLS). The authentication process 
also results in a shared session key, which can prevent session hijacking. Different keys are 
derived from the session key using a one-way function for encryption and integrity in IEEE 
802.11i. Besides keys, the functions of integrity protection and encryption are improved in 
IEEE 802.111 compared with WEP. 

In order to allow backward compatibility, IEEE 802.11i defines an optional protocol called 
Temporal Key Integrity Protocol (TKIP). TKIP has the same structure as WEP. The core 
encryption algorithm of TKIP is still based on RC4, while the security problems in WEP 
are avoided. Function Michael replaces CRC-32 for integrity protection in TKIP. Apply- 
ing TKIP is widely known as WPA, or IEEE 802.11i draft. More importantly, the IEEE 
802.11i standard defines the concept of Robust Security Network (RSN). An overview of 
RSN association is depicted in Figure 7.14. AES is the chosen cryptographic algorithm for 
both confidentiality and data integrity in RSN. Although RSN is a good security solution, it 
requires hardware upgrade to implement. Applying RSN/AES is widely known as WPA2, 
or just IEEE 802.11i. 


7.5.2 IEEE 802.111 Access Control 


User authentication and key management of IEEE 802.11i are generally based on IEEE 
802.1X. WPA supports two authenticated key management protocols: the IEEE 802.1X 
and EAP authentication, and the pre-shared key (PSK) authentication. The IEEE 802.1X 
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Figure 7.14 Robust security network association. 


and EAP authentication based WPA is also referred to as WPA-Enterprise or WPA-802.1X 
mode because it is preferred by enterprise environments. WPA-802.1X is available with 
both WPA and WPA2 for confidentiality and integrity protection. To apply access control, 
WPA-802.1X requires a centralized RADIUS authentication server. Mutual authentication 
is required by WPA-802.1X to prevent user from joining rogue networks. The PSK based 
authentication is designed for home and small office network. It is also referred as WPA- 
Personal or WPA-PSK. WPA-PSK requires neither authentication server nor EAP frame- 
work. WPA-PSK requires users to manually enter password (i.e. the master key) in the AP 
or the wireless gateway, and enter the same password in each STA. During networking 
operation, all wireless network device within the WLAN network (i.e. STAs and APs) 
encrypt network traffic using a 256-bit key. 

The WLAN authentication process based on IEEE 802.1X is shown in Figure 7.15. 
The supplicant first associates its connections with an AP. The AP then sends the suppli- 
cant an EAP identity request. The supplicant responds by sending its EAP identity to the AP. 
The identity usually comprises of the supplicant’s username and domain, e.g. a company 
email address. Then, the AP forwards this request to the RADIUS authentication server 
over its uncontrolled port. After receiving the supplicant’s EAP identity, the RADIUS 
authentication server first requests a domain user certificate that is associated with the 
identity it just received. The AS then sends the server certificate to the supplicant through 
the AP. Upon receiving the server certificate, the supplicant validates it and sends its own 
domain user certificate back to the RADIUS authentication server through the AP. Note 
that the supplicant needs to obtain the certificate over an Ethernet connection to the 
network or some other means of connection that does not use IEEE 802.1X. The RADIUS 
authentication server checks with the active directory domain controller and certificate 
authority to ensure that the domain user account information in the identity packet is 
indeed associated with the domain user certificate received from the supplicant. Once 
confirmed, the RADIUS authentication server sends an authentication success message to 
the AP. If the verification fails, an authentication failure message is sent to the AP instead. 
After the authentication process, the AS and the supplicant have established a session for 
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Figure 7.15 WLAN authentication based on IEEE 802.1X. 


secure communications. The authentication server and the supplicant process a mutually 
authenticated master key. The master key represents decision to grant access based on 
authentication. The supplicant and the authentication server have derived the Master 
Session Key (MSK) and Pairwise Master Key (PMK). The PMK is also distributed to the AP 
from the AS. 


7.5.3 IEEE 802.11 Key Management 


The key hierarchies of WPA-802.1X is shown in Figure 7.16. PMK is a 256-bit master key 
to derive Pairwise Transient Keys (PTK) at both the supplicant and the AP. PTK includes a 
Key Encryption Key (KEK), a Key Integrity Key (KIK), a Data Encryption Key (DEK), and 
a Data Integrity Key (DIK). The KEK and the KIK are derived to protect key handshakes. 
DEK and DIK are derived to protect unicast message transmission between the STA and 
the AP. Group Master Key (GMK) is a 128-bit key randomly generated at the AP. From 
GMK, a Group Transient Key (GTK) is derived at the AP. GTK includes a Group Encryption 
Key (GEK) and a Group Integrity Key (GIK). GEK and GIK are used to protect broadcast 
message transmission between the STA and the AP. 

In both TKIP and AES-CCMP modes, the same four-way handshake process is applied to 
achieve PTK distributions. As shown in Figure 7.17, the four-way handshake process is as 
follows: 


(1) The AP sends a nonce-value to the STA (ANonce). The client now has all the attributes 
to construct the PTK. 
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(2) The STA sends its own nonce-value (SNonce) to the AP together with a sequence num- 
ber (seqnum), information element (IE), and a message integrity code (MIC). 

(3) The AP constructs and sends the GTK and seqnum+1 together with another MIC. This 
sequence number will be used in the next multicast or broadcast frame, so that the 
receiving STA can perform basic replay detection. 

(4) The STA sends a confirmation to the AP. 


The GTK used in the network may need to be updated due to the expiration of a pre- 
set timer. When a device leaves the network, the GTK also needs to be updated. This is to 
prevent the device from receiving any more multicast or broadcast messages from the AP. 
To handle the updating, IEEE 802.11i defines a Group Key Handshake that consists of a 
two-way handshake: 

(1) The AP sends the new GTK to each STA in the network. The GTK is encrypted using 


the KEK assigned to that STA, and protects the data from tampering, by use of a MIC. 
(2) The STA acknowledges the new GTK and replies to the AP. 


7.5 IEEE 802.11i Standard 


Keys for TKIP mode: PTK is derived by first concatenating PMK, AP’s MAC address 
(MAC1), STA’s MAC address (MAC2), AP nonce (Nonce1), and STA nonce (Nonce2). The 
product is then put through a 512 — bit pseudo random function (PRF). A hash function 
is usually applied as the PRF in this case. 


PTK = PRF;,,(PMK||MAC1||MAC2 ||Nonce1||Nonce2) 
= KEK||KIK||DEK||DIK 


GTK is derived by first concatenating GMK, AP’s MAC address (MAC), and Group nonce 
(GNonce). The product is then put through a 256-bit PRF. 


GTK = PRF}5¢(GMK||MAC||GNonce) 
= GEK||GIK 


Keys for AES-CCMP mode: PTK is derived in a similar way, where the PRF is 384-bit, 
since DEK and DIK are the same. 


PTK = PRF39,4(PMK||MAC1||MAC2 ||Nonce1||Nonce2) 
= KEK||KIK||DEK||DIK 


GTK is also derived in a similar way, where the PRF is 128-bit, since GEK and GIK are 
the same. 


GTK = PRF 1 .(GMK||MAC||GNonce) 
= GEK||GIK 


7.5.4 IEEE 802.11i Integrity and Confidentiality 


Both the TKIP and the AES-CCMP modes defined by IEEE 802.11i standards provide 
integrity and confidentiality. 


7.5.4.1 TKIP Mode 

The TKIP mode is defined and mandatory for WPA, which still uses RC4 and the core 
function so that it can be backward compatible to legacy devices. TKIP corrects the flaws 
in WEP so that the security is much enhanced in two aspects. First, while CRC-32 is still 
applied as the ICV to the message, an 8-byte MIC is also computed and appended to the 
message. The MIC is computed by function Michael. The purpose of countermeasures 
with Michael is to reliably detect an attack and close down communications to the attacked 
STA for a period time. Specifically, if two incorrect Michael MIC codes are received 
within one minute, the AP will reset the TKIP session with a different key and change 
all the future keystreams. Michael limits an attacker to one try per minute for the entire 
network and thus protect the integrity of transmission. Second, the IV space is increased 
to 48 bits in TKIP in order to prevent IV reuse. The IV is also used as replay counter to pre- 
vent replay attacks. Moreover, TKIP applies per-packet keys instead of using the pre-shared 
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Figure 7.18 TKIP—Generating RC4 keys. 


key to prevent attacks based on weak keys. As shown in Figure 7.18, the per-packet key is 
derived from DEK, MAC address, and part of the IV. 


7.5.4.2 AES-CCMP Mode 

The AES-CCMP mode is the standard encryption protocol for use with the WPA2 standard. 
It is more secure than TKIP protocol. CCMP means CTR mode and CBC-MAC. CCMP uses 
Counter Mode with CBC-MAC (CCM) for data confidentiality and CBC-MAC for authen- 
tication and integrity. CCMP encryption is based on AES processing and uses a 128-bit key 
and a 128-bit block size. 

CBC-MAC protects the integrity of the MAC header, CCMP header, and the Medium 
Access Control Protocol Data Unit (MPDU). The mutable fields, including the retry bit 
in the Frame Control words and the Duration field, are set to zero. The input is padded 
with zeros if the length is not multiple of 128 bits. The initial block of CBC-MAC comprises 
of 5 fields, 8-bit flag, 8-bit priority, 48-bit source address, 48-bit packet number, and 16-bit 
data length. The final 128-bit block of CBC encryption is truncated to upper 64 bits to get 
CBC-MAC value. 

The encryption is using AES in CTR mode. Both MPDU and CBC-MAC are encrypted 
while MAC and CCMP headers are not. The format of the counter is similar to the 
CTC-MAC initial block, including 8-bit flag, 8-bit priority, 48-bit source address, 48-bit 
packet number, and 16-bit counter. The counter is initialized with 1 and is incremented 
after each encrypted block. 


7.5.5 Function Michael 


Michael is a keyed hash function with a 64-bit key, and the output is a 64-bit value, as 
illustrated in Algorithm 7.1 [59]. The input key is converted to two 32-bit key words, and 
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Algorithm 7.1 Michael 
Input: key (k),k,), message m,m,,...m 
Output: ICV; 
(L, R) — (ko, ky) 
for i=0ton—1do 
L<~-L@m;; 
(L, R) <— F(L, R); 
end for 
ICV <(L,R); 


n-1? 


the message is divided into blocks with 32 bits each. The input message is padded at the end 
with a single byte with the hexadecimal value 5A followed by between 4 and 7 zero bytes 
as illustrated in Figure 7.19. The number of 0’s is chosen so that the overall length of the 
message with padding is a multiple of 4 bytes. 

The round function F(-) is illustrated in Algorithm 7.2. In this function, « is left rotation 
by bytes, i.e. (« « n) indicates n-byte left rotation of x. And >> is right rotation by bytes, 
i.e. (x >> n) indicates n-byte right rotation of x. Function swap(-) is a byte level swapping 
function, i.e. given 4 bytes ABCD, swap(ABCD) = BADC. Moreover, @ is XOR and is the 
addition modulo 2”. 
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Figure 7.19 Padding in Michael. 


Algorithm 7.2 Round function F of Michael 
Input: (L, R); 
Output: (L, Rk); 
R<RO(LK17); 
L < (LAR) mod 2”; 
R<R®swap(L); 
L < (LAR) mod 2”; 
R<ROUL 3); 
L < (LAR) mod 2”; 
R<-RO@(L>> 2); 
L <— (LMR) mod 2”; 
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7.5.6 Weakness in 802.11i 


The known weakness in WPA is in the implementation of RC4 [60]. Specifically, the 2-byte 
WPA frame counter, i.e. TSC biases in the RC4 keystream, thus permits mounting effective 
statistical, plaintext-recovering attack when the same plaintext is encrypted in many differ- 
ent frames. Nonetheless, WPA is not intended to be a long-term secure solution and users 
are recommended to implement WPA2 whenever available. The only major weakness found 
in WPA2 is the Key Reinstallation Attacks (KRACK) targeting the four-way handshake 
of the authentication protocol [61]. In normal operation, when a client joins a network 
and triggers the four-way handshake, a key is installed after receiving message 3 for data 
confidentiality. Message 3 may be retransmitted multiple times due to unreliable network 
conditions. Each time the client receives a copy of message 3, it reinstalls the same session 
key with incremental nonce (packet number) and replay counter used by the encryption 
algorithm. An attacker can force nonce resets by collecting and replaying message 3. With 
nonce resets, an attacker can decrypt packets, and/or launch attacks such as replay attack 
and forgery. KRACK may also be launched against group key in WPA2. 


7.6 Wi-Fi Protected Access 3 and Opportunistic Wireless 
Encryption 


The latest Wi-Fi security introduces WPA3 and opportunistic wireless encryption (OWE) 
with new features to simplify and enhance Wi-Fi security for open/public network, 
WPA3-Personal and WPA3-Enterprise. 


7.6.1 WPA3-Personal 


One of the major new features introduced in WPA3 is Simultaneous Authentication of 
Equals (SAE), which provides more robust password-based authentication, even when the 
chosen password falls short of typical complexity recommendations [53]. SAE replaces the 
four-way handshake method (PSK) used in WPA2 [58], thus being robust against KRACK 
attacks. SAE considers devices equally rather than requester and authenticator. As shown in 
Figure 7.20, both entities send their authentication information independently in the SAE 
handshake process. SAE is based on elliptic-curve Diffie-Hellman where the description is 
simplified in the figure. Because the PSK generated in the SAE process is for authentication 
only, SAE offers forward secrecy. In traditional PSK based systems, an attacker can hold on 
to encrypted data and later decrypt it once the password is hacked. In comparison, SAE 
requires a password change each time a connection is established. In this way, even if an 
attacker gets access to the network, passwords used for data prior to the connection would 
not be available. 


7.6.2. WPA3-Enterprise 


WPA3-Enterprise builds upon WPA2 to ensure the consistent application of secu- 
rity protocols across the network. The major enhancement of WPA3-Enterprise is its 
application of equivalent 192-bit cryptographic strength security protocols and crypto- 
graphic tools. Therefore, enterprise, government, and other institutions can implement 
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Figure 7.20 Overview of SAE process for identity authentication. 


Table 7.2. Cryptographic tools used in WPA3-Enterprise. 


Security feature Tools 

Authenticated encryption GCMP-256 

Key derivation and confirmation HMAC-SHA384 

Key establishment and authentication ECDH and ECDSA (384-bit elliptic curve) 
Robust management frame protection BIP-GMAC-256 


WPA3-Enterprise for stronger security. The cryptographic tools used in WPA3-Enterprise 
are listed in Table 7.2. 


7.6.3 Opportunistic Wireless Encryption 


Open/public Wi-Fi networks in locations like coffee shops, airports, etc. do not apply 
Authentication and Key Agreement (AKA). As a result, wireless traffic is not encrypted. 
OWE is defined to encrypt wireless traffic in open/public networks [63]. As shown in 
Figure 7.21, OWE is based on Diffie-Hellman algorithm (i.e. F(DH(-))) and HMAC-based 
Extract-and-Expand Key Derivation Function (HKDF) to establish the PMK that can be 
used for traffic encryption. Both elliptic curve cryptography and finite field cryptography 
are supported by OWE. Once the secret z is established through Diffie-Hellman algorithm, 
the HKDF first outputs prk as follows: 


prk = HKDF-extract(C|A|group, z), (7.4) 


where C and A are the public keys of the STA and AP, group is from the Diffie-Hellman 
parameter element. Finally, the PMK is generated as follows: 


PMK = HKDF-expand(prk, “OWE Key Generation”, n), (7.5) 
where n is the number of bits of the digest produced by that hash algorithm. 
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Figure 7.21 Overview of OWE process. 


7.7 Summary 


WLAN security is discussed in this chapter. The original WLAN security defined by the 
IEEE 802.11 standard failed to protect the network. Although WEP is still supported by 
current Wi-Fi devices, it is not recommended to apply for security. IEEE 802.11i defines 
the TKIP mode and the AES-CCMP, also known as WPA and WPA2, respectively, for bet- 
ter WLAN security. The TKIP mode has addressed some of the security issues in WEP and 
has backward compatibility with legacy devices. The AES-CCMP is mandatory for current 
WLAN devices due to better security. IEEE 802.11i also defines two types of authentica- 
tions: WPA-Enterprise and WPA-Personal. WPA-Enterprise is based on IEEE 802.1X and 
EAP authentication, while WPA-Personal is based on the pre-shared key authentication. 
WPA3 is recently introduced as a successor to WPA2. In particular, WPA3 introduces traffic 
encryption to open/public networks, SAE to WPA3-Personal, and 192-bit security strength 
to WPA3-Enterprise. 
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Bluetooth Security 


Bluetooth is an open standard for short-range radio communications. It is designed for wire- 
less personal area networks (WPAN). Many wireless devices, such as smart watch, wireless 
headphone, wireless keyboard, wireless mouse, vehicular on-board audio system, etc., are 
based on Bluetooth technology. In this chapter, the security of current Bluetooth technology 
are introduced. 


8.1 Introduction to Bluetooth 


8.1.1 Overview of Bluetooth Technology 


Bluetooth devices form an ad-hoc network for data transmission. As shown in Figure 8.1, 
a Bluetooth ad-hoc network consists of two or more devices within a small area. Among 
all the devices, one is a master device and the rest are active slave devices. Such an ad-hoc 
network is called a piconet. Within a piconet, the slave devices have direct connection with 
the master device. However, there are no direct connections between any slave devices. 
A Bluetooth piconet (interchangeable with piconet in the rest of the chapter) supports eight 
active devices, i.e. one master device and seven active slave devices. Up to 255 further slave 
devices can be supported if they are inactive. A Bluetooth device may join several piconets 
simultaneously. For example, a slave device can be interconnected to both master devices 
in two piconets; the master device of a piconet can be a slave device in another piconet. It is 
clear that a Bluetooth device cannot be the master device for two or more piconets simul- 
taneously. If the devices of several piconets are interconnected (by forming extra piconets), 
then the interconnected piconets form a scatternet. The purpose of a scatternet is to connect 
more Bluetooth devices in a larger area. A Bluetooth scatternet can support up to 80 active 
devices [64]. 

Bluetooth uses a technique called spread spectrum frequency hopping to transmit data 
among 79 different frequencies. Each Piconet follows a different hopping sequence that 
defines up to 1600 hops per second by the master device. Frequency hopping helps to reduce 
jamming of Bluetooth transmissions in a fixed frequency. Moreover, frequency hopping 
increases the difficulty of eavesdropping since an eavesdropper may need to monitor all 79 
frequencies to collect all the information. However, frequency hopping itself is not enough 
to secure Bluetooth communications. More secure features are needed for Bluetooth. 


Security in Wireless Communication Networks, First Edition. Yi Qian, Feng Ye, and Hsiao-Hwa Chen. 
© 2022 John Wiley & Sons Ltd. Published 2022 by John Wiley & Sons Ltd. 
Companion website: www.wiley.com/go/qian/sec51 
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Figure 8.1 Overview of Bluetooth networks. 


Table 8.1 Major evolution of Bluetooth versions. 


Version v1.1 v1.2 v2.0/v.2.1 v3.0 v4.0 v5.0 
Date 2001/02 2003/11 2004/11 2009/04 2009/12 2016/12 
2007/07 
Data rate 732.2 kbps 1 Mbps 2.1 Mbps 24 Mbps 2.1/24 Mbps 2 Mbps 
Major Signal Adaptive Enhanced High Low High 
features strength frequency data rate speed energy spectral 
indication hopping (EDR) channel protocol efficiency 


There have been several versions of Bluetooth standards since 2001. Table 8.1 lists the 
major evolution of Bluetooth versions. The major improvements include both data trans- 
mission performance and security. In particular, while Bluetooth v2.0 + Enhanced Data 
Rate (EDR) published in November 2004 provided faster transmission speed, Bluetooth 
v2.1 + EDR published in July 2007 provided a significant security improvement on link 
key generation and management in the form of Secure Simple Pairing (SSP). The research 
of Bluetooth technology is still undergoing. Newer version with better performance and 
security will be developed. In the rest of this chapter, details of current Bluetooth security 
solutions are discussed. 


8.1.2 Bluetooth Vulnerabilities and Threats 


Bluetooth security is provided because of security threats that may put Bluetooth transmis- 
sions at risk. Being a wireless transmission technology, Bluetooth is susceptible to general 
wireless network threats, for example, eavesdropping, man-in-the-middle attacks, denial 
of service attacks, etc. Moreover, some attacks can threat Bluetooth security more directly. 
Some Bluetooth specific threats are Bluesnarfing, Bluejacking, Bluebugging, car whisperer, 
and fuzzing attacks [65-67]. 


8.1 Introduction to Bluetooth 


8.1.2.1 Bluesnarfing 

Bluesnarf is the most famous Bluetooth attack, first identified by Marcel Holtmann in 
September 2003 [67]. A Bluesnarf attack mostly happens to a cell phone with Bluetooth 
capability. The attack is launched by connecting to the OBEX Push Profile (OPP). The 
OPP is an easy way to exchange business cards and the objects between devices. In this 
way, an authentication may not be necessary. It is not a problem for OBEX Push. However, 
a Bluesnarf attacker can perform an OBEX GET request for known filenames. If the file 
system is not secure to protect the path and file names, a Bluesnarf attacker can easily get 
user data such as contact list and calendar file. In the worst case, the attacker can fetch the 
entire system if all file names are disclosed. 


8.1.2.2 Bluejacking 

Bluejacking is a possible attack to all Bluetooth-enable mobile devices, such as wearable 
devices, cell phones, etc. A Bluejacking attacker initiates the attack by sending unsolicited 
messages to a user. At this point, there is no harm to the user other than receiving an unex- 
pected message. However, if the message tricks the user to respond, which usually causes 
authentication verification, then serious damage may follow. For example, a Bluejacking 
attack could be launched to a wearable device by sending a message that asks the user to 
confirm synchronizing daily tracking data. It is highly possible to trick the user to confirm 
such a request. Especially for those wearable devices only use vibration as message alerts. 


8.1.2.3 Bluebugging 

Bluebugging is an Bluetooth attack mostly targets cell phones. Bluebug is a Bluetooth secu- 
rity loophole on some Bluetooth-enabled cell phones. Using this loophole, it may only take 
a few seconds of a Bluebugging attacker to issue authentication commands via a covert 
channel without alerting the user. Bluebugging allows an attacker to gain control of the 
compromised cell phone. For example, an attacker may initiate phone calls from the com- 
promised device, send text messages, read user’s contact list, set call forwards, establish 
Internet connection, and several others that can cause privacy leakage and possible finan- 
cial loss to a user. 


8.1.2.4 Car Whisperer 

Developed by European security researchers, Car Whisperer is a software tool to exploit a 
key implementation issue in hands-free Bluetooth car kits in vehicles. Through Car Whis- 
perer, an attacker can send audio to the on-board speakers or eavesdrop from the micro- 
phone in car. Despite being a threat to Bluetooth security, Car Whisperer was intended to 
alert car manufacturers of their hands-free car kits and other Bluetooth devices that use 
standard passkeys (e.g. 0000 or 1234) so that such security threat could be mitigated. Rec- 
ommendations include using random passkeys, or using some direct interaction with the 
device (e.g. near-field communication initiated Bluetooth connection). 


8.1.2.5 Fuzzing Attacks 

Bluetooth fuzzing attacks are lunched to detect vulnerability that potentially exists in the 
protocol stack. Therefore, fuzzing attacks may not harm a Bluetooth user instantly. To 
launch a fuzzing attack, an attacker sends malformed or non-standard data to a Bluetooth 
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device and observes the reactions from the device. Potential vulnerability may be observed 
if a device’s response is slowed or stopped. Fuzzing attacks are by no means harmless, 
because serious damages can be made based on the vulnerability found by a fuzzing attack. 
Developers may launch fuzzing attacks when developing security protocol stack to target 
possible vulnerability. 


8.1.3 Bluetooth Security Services and Security Modes 


8.1.3.1 Bluetooth Security Services 

Bluetooth standard specifies three basic security services: authentication, authorization, 
and confidentiality. Since Bluetooth networks do not have a physical infrastructure, all Blue- 
tooth security services are provided only between Bluetooth devices over the wireless trans- 
mission links. The security services in Bluetooth include: 


e Authentication: Entity authentication is to verify the identity of communicating devices. 
User authentication is not provided natively by Bluetooth. 

e Authorization: Bluetooth security allows the control of resources. A Bluetooth device 
must be authorized to use a service. 

e Confidentiality: User data is encrypted before transmission, thus confidentiality is pro- 
vided in addition to the frequency hopping mentioned earlier. 


Besides the three security services, other security services are not provided in the 
Bluetooth standard. Some commonly recognized security services such as identity, 
non-repudiation, etc., must be provided with additional mechanisms if necessary. 


8.1.3.2 Bluetooth Security Modes 

Although all versions of Bluetooth specifications support the three basic security services, 
the implementation of each security service depends on one of the four security modes 
defined by various Bluetooth specifications [66, 68]. 


Security mode 1 (non-secure): No security functionality is provided in this mode. Mode 1 is 
only supported in v2.0 + EDR and earlier versions of Bluetooth standard. It is not supported 
by devices based on Bluetooth v2.1 + EDR and later versions of Bluetooth standard. Those 
devices must implement one of the other security modes. 


Security mode 2 (service level enforced security): Security procedures are initiated after Link 
Manager Protocol (LMP) link establishment but before Logical Link Control and Adapta- 
tion layer Protocol (L2CAP) channel establishment. Policies for access control and inter- 
faces with other device users are controlled by a centralized security manager [69]. Autho- 
rization may be applied in this mode to decide ifa Bluetooth device should be granted access 
to a specific service. Both authentication and confidentiality are applied in mode 2 at the 
LMP layer. All Bluetooth devices can support security mode 2. However, Bluetooth v.2.1 + 
EDR versions can only support security mode 2 for backward compatibility. 


Security mode 3 (link level enforced security): Security procedures are initiated before the 
physical link is fully established. Authentication and confidentiality are mandated in 
mode 3 for all connections from and to the Bluetooth device. Both one-way and mutual 
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authentications are supported in mode 3. Only Bluetooth v2.0 + EDR or earlier versions 
can support security mode 3. 


Security mode 4 (service level enforced security): In mode 4, security procedures are initiated 
after a link setup, which is similar to mode 2. There are three security requirements for ser- 
vices protected by security mode 4: authenticated link key required, unauthenticated link key 
required, or no security required. If a link key is required, security mode 4 applies the same 
authentication and encryption algorithms that are based on the link key as in modes 2 and 3. 
The difference is that security mode 4 applies a scheme called SSP to generate the link key. In 
particular, SSP uses Elliptic Curve Diffie Hellman (ECDH) techniques for key exchange and 
link key generation. Security mode 4 is mandatory for communications between Bluetooth 
v2.1 + EDR and later versions. 


8.2 Link Key Generation 


In all Bluetooth security modes 2, 3, and 4, a link key is needed for authentication and 
encryption algorithms. Depending on different security modes, there are two methods to 
generate the link key. Modes 2 and 3 use one of the methods, and security mode 4 uses the 
other. 


8.2.1 Link Key Generation for Security Modes 2 and 3 


For security modes 2 and 3, two associated Bluetooth devices (a master and a slave) gen- 
erate the link key simultaneously in the process as shown in Figure 8.2. The slave device 
(device A) initiates the process by generating a random value IN_RAND and sends it to 
the master device (device B). Based on IN_RAND and a pre-shared secret value PIN, both 
devices derive the initialization key K,,,;, as follows: 


Kinit = En2(PIN, IN_RAND), 
where E,,(-) is the encryption algorithm applied in this process. If the secret value PIN is less 
than 16 bytes, then the physical address of the device BD_ADDR will be used to supplement 


the PIN value to generate the initialization key. 


Device A Device B 

IN_RAND 

i iat 

| 1 
Generate K;,,,i; Generate K;,,i1 

T T 

Generate COMB_KEY, Generate COMB_KEY> 

COMB_KEY, 3] 

l COMB_KEY, | 

hag ——$_$$ $$ 

| | 

Generate K,, K> Generate K,, Ky 

Generate K jinx Generate K;;,i 


Figure 8.2 Link key generation in modes 2 and 3. 
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Once the initialization key is generated at both sides, the two devices will then generate 
a random value LK_RAND, and LK_RAND, at each side. Based on random values and the 
previously generated initialization key K,,,;,, the two devices will generate the combination 
keys COMB_KEY as follows: 


COMB_KEY, = LK_RAND, @ K; 


init? 
and 


COMB_KEY, = LK_RAND, @ kK, 


init* 
The combination keys are exchanged between the two devices after generation. In the 
next step, device A calculates K, based on LK_RAND, and BD_ADDR, as follows: 


K, = E),(LK_RAND,, BD_ADDR,), 


where E,,(-) is the encryption algorithm applied in this process. Moreover, device A also 
calculates K, based on COMB_KEY,, K;,,;,, and BD_ADDR, as follows: 


nit? 


K, = E,,(COMB-KEY, ® Kjn;;,BD-ADDR,). 


init? 
On the other side, device B calculates K, and K, in a similar way as follows: 
K, = E,,(LK_RAND,, BD_ADDR,), 
and 


K, = Ey,(COMB_KEY, @ K, 


init? 


BD_ADDR,). 
Finally, the same link key is generated by both devices as follows: 
Kink = Ky ® Ky. 


The link key K,,,, will be applied in other security algorithms in both security modes 2 
and 3. Security mode 4 has a different approach to generate the link key as illustrated in 
Section 8.2.2. 


8.2.2 Link Key Generation for Security Mode 4 


For security mode 4, two associated Bluetooth devices, a master (device B) and a slave 
(device A), generate the link key through the process as shown in Figure 8.3. Link key 
generation in mode 4 is based on ECDH, which involves public key cryptography in the 
process. 

In the first step, the two devices exchange their public keys, i.e. Pu, for device A and Pu, 
for device B. Then a DH key Kp, is generated based on the two public keys using ECDH 
algorithm (E,,,(-)) as follows: 


Ree Pj9)(Pr1, Pu,), by device A, 
oe P9)(Pr>, Pu,), by device B. 


After generating Kp,,, devices A and B need to establish shared parameters (N,,N,, 1,1) 
through an association model, which has three different protocols: Numeric Comparison, 
Out-of-Band, and Passkey Entry. Assuming that the association model is completed and the 
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parameters are established (the association model will be illustrated later). Then devices A 
and B will generate values E, and E, as follows: 


E, =fx(Kpy.Ny,N>,1,IOCAP,, BD_ADDR,, BD_ADDR,), 
E, = fy(KpyN>,N,, 1, IOCAP,, BD_-ADDR,, BD_ADDR,), 


where f;(-) is a function that uses the HMAC based SHA-256. Devices A and B exchange E, 
and E, after computing the values. The two devices then verify the received E, or E, values. 
If verifications are succeeded, both devices continue to derive the link key as follows: 


Kine =£.(Kpy»Ny.N>, btlk, BD_-ADDR,, BD_ADDR,), 


where f,(-) is also a function that uses the HMAC based SHA-256, and bilk is a predefined 
bit string. The three protocols of the association model are illustrated in Section 8.2.3. 


8.2.3 Association Model in Mode 4 


The association model in security mode 4 has three protocols to establish parameters 
(N,,N,,1,,1,). Each protocol is designed to fit a specific type of Bluetooth devices. The 
three protocols are Numeric Comparison, Out-of-Band, and Passkey Entry, as detailed in 
the following. 


8.2.3.1 Numeric comparison 

This protocol was designed for the type of Bluetooth devices that are capable of displaying 
a number (typically six digits) and allowing input from a user for response. For pairing, 
a six-digit number is displayed on both devices. If the two match, a (human) user shall 
confirm it and continue pairing process. The difference between this process and the use of 
PINs is that this six-digit number is not applied as an input in the later pairing process. The 
final link key is not determined by the six-digit number. Thus, even if the six-digit value 
is revealed to an attacker, it cannot be used to generate the link key or the encryption key. 
The process of the numeric comparison protocol is illustrated in Figure 8.4. Each device 
generates a 128-bit random value, i.e. N, and N,, respectively. These two values are used 
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Device A Device B Figure 8.4 Association 
I model-numeric comparison. 
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to prevent replay attacks. Values r, and r, are set to 0. Then, device B (master) computes a 
commitment C, as follows: 


C, =f, (Puy, Pr,, N>,0), 


where f, (-) is a function that uses the HMAC based SHA-256. Note that Pu/Pr are the pub- 
lic/private key pairs for the corresponding devices. Commitment C, is to prevent an attacker 
from changing the values at a later time. Device B shall transfer C, to device A. The random 
values N, and N, are exchanged at this stage as well. Upon receiving C,, device A verifies it 
by computing the commitment value with the same inputs. If the two values match, then 
device A computes a six-digit value V, as follows: 


V, = g(Pu,, Pu,, N,,N3), 


where g(-) is the hash function SHA-256. Similarly, device B computes a six-digit value V, 
as follows: 


V, = g(Pu,, Pu,, N,,N,). 


Note that V, and V, are the two six-digit values displayed on each device. User shall compare 
the two values and confirm if they match. If they do not match then the protocol aborts. If 
they match, the association model succeeds and the link key generation process continues 
with the parameters. 


8.2.3.2 Out-of-Band (OOB) 

This protocol was designed for a pair of Bluetooth devices that one has input capability 
(e.g. a Bluetooth keyboard) and the other has a display (e.g. a tablet, input capability is not 
required). Moreover, none-Bluetooth wireless technologies need to be involved in OOB pro- 
tocol, thus the name out-of-band. One of the most popular none-Bluetooth technology for 
OOB protocol is the Near Field Communication (NFC). The NFC can be used to establish a 
Bluetooth connection by simply touch the two NFC-enabled devices and confirm the pro- 
cess. Let OOB-IO be a device that has a mechanism allowing it to communicate with the 


Table 8.2 Scenarios for two devices using OOB protocol. 


Scenario Device 1 Device 2 
1 OOB-IO OOB-O 

2 OOB-O OOB-IO 
3 OOB-IO OOB-IO 


8.2 Link Key Generation 


Bluetooth controller and another device. Let OOB-O be a device that cannot communicate 
with the Bluetooth controller and can only transmit data. There are three scenarios that 
are practical for OOB model, as shown in Table 8.2. Because OOB model requires at least 
a device to be a reader, there must be a device with OOB-IO capability. The other can be 
either OOB-IO or OOB-O. The scenario where both devices are OOB-O does not exist. 

To establish a connection using OOB protocol, the device with display shows a six-digit 
number, and the user enters on the device with input capability to confirm the process. 
Although the six-digit number is input to another device by the user, it is not applied in the 
link key generation process. The OOB protocol is illustrated in Figure 8.5. Either device A or 
device B can be the master because the OOB protocol is symmetric. Without loss of general- 
ity, device B is assumed to be the master for illustration. To begin the process, device A sets 
r, toa random value RAND and r, to 0. Device B sets r, toa random value RAND and 7, to 0. 
Then, both devices A and B compute commitments C, and C, of their public keys. The ran- 
dom values and commitments need to be exchanged between the two devices. Depending 
on communication capability of the devices, there are two scenarios as shown in the shaded 
area of Figure 8.5. In the first scenario, if OOB communication is possible only in one direc- 
tion, i.e. OOB-IO and OOB-O devices, then authentication will be based on the random 
value r. If the random value r is not sent to the other device, it is assumed to be zero. In this 
example, assuming device B is not capable of OOB communication (i.e. OOB-O), then r,, 
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Figure 8.5 Association model—out-of-band. 
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BD_ADDR, and C, are sent from device A to device B. Device B does not send any informa- 
tion to device A. Random value r, is set to 0 at both sides. In the second scenario, if both 
devices A and B are capable of OOB communication (i.e. OOB-IO), then they exchange 
their random values, Bluetooth addresses, and commitments. After exchanging informa- 
tion, both devices shall verify the received commitment values. Then, device A sets r, to 0 
and device B sets r, to 0. Random values N, and N, are generated at each side. Finally, N, 
and N, are exchanged for further process. 


8.2.3.3 Passkey entry 

In this protocol, a passkey is needed to generate the parameters. Unlike the other models, 
passkey entry model runs iteratively based on the length of the passkey. A passkey is agreed 
by both devices before initiating the process. In practice, this passkey may be generated and 
displayed on one device. The process of passkey entry protocol is illustrated in Figure 8.6. 
The user inputs it into the other device. The random values r, andr, function as the passkey 
in this protocol. Therefore, r, = r,. Let the passkey (r, or r,) have a key length of k bits, then 
the rest operations shall be repeated for k times to generate N, and N,. In the ith iteration, 
for example, device A chooses a 128-bit nonce N, ; and calculates a commitment value C, ; 
as follows: 


C, i =APu,,Pu,,N,3.1%1)) 


where r, ; is the ith bit of r,. Device B also chooses a 128-bit nonce N,,; and calculates a 
commitment value C, ; as follows: 


Cy; = fi (Puz, Pu;, Nj, 1). 


The commitment values are exchanged after that. Device A also sends its nonce N, ; to 
device B. Device B then computes C, ; and compares it with the received one for verification. 
If the two values match, then device B sends its nonce N, ; to device A. After all k itera- 
tions, the final N, , and N,, shall be used as N, and N, for further process to generate the 
link key. 


8.3 Authentication, Confidentiality, and Trust and Service Levels 


8.3 Authentication, Confidentiality, and Trust and Service 
Levels 


8.3.1 Authentication 


Bluetooth supports one-way authentication [68]. Figure 8.7 shows an one-way authen- 
tication process between device A (slave) and device B (master), where device A is 
authenticated by device B. As the supplicant, device A sends authentication request 
and its Bluetooth MAC address BD_ADDR, to device B. After receiving the request, 
device B computes a 128-bit random challenge AU_RAND and replies to device A. With 
the Bluetooth address of the supplicant and the random challenge available at both sides, 
the two devices compute two values ACO and SRES as follows: 


SRES||ACO = E,(BD_ADDR,, AU_RAND, K jin): 


where E, (-) is the SAFER+ algorithm, SRES is the 32-bit authentication response, and ACO 
is the authenticated ciphering offset that to be used for encryption process. The supplicant 
(device A) sends its SRES to device B for verification. If the received SRES matches the one 
computed by device B, then the verification succeeds. Device B confirms the success 
of authentication with device A. If an authentication fails, then a Bluetooth device shall 
wait for a short period of time before it can initiate another authentication process again. 
Security of Bluetooth authentication depends solely on the link key. Because the addresses 
of both devices are considered public parameters, they are exchanged in clear text during 
the process. 


Mutual authentication: Bluetooth security does not specify a separate protocol for 
mutual authentication. Mutual authentication is achieved by executing the one-way 
authentication process twice. Once device A is authenticated by device B, the same 
authentication process is performed again with device B being the supplicant. An 
authentication supplicant is not associated with being the slave or the master device. 
In the example described earlier, device A is defined as the slave and device B 
is defined as the master. When device B is switched to the supplicant for mutual 
authentication, it is still the master device. 
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Figure 8.7. One-way Bluetooth authentication. 
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8.3.2 Confidentiality 


Confidentiality is supported by all Bluetooth versions. It is achieved by encrypting data 
transmission. In total, Bluetooth standard defines three encryption modes, as follows: 


e Encryption mode 1: No encryption. 
e Encryption mode 2: Encrypt unicast data traffic only and leave broadcast data traffic unen- 


crypted. 
e Encryption mode 3: Encrypt all data traffic. 


For those applications that do not need confidentiality, encryption mode 1 provides data 
transmission in cleartext. Encryption mode 2 provides confidentiality to partial traffic, 
excluding broadcast traffic. If confidentiality is needed for all data traffic, then encryption 
mode 3 should be applied. The encryption mechanism is the same for both encryption 
modes 2 and 3. A stream cipher E, is the core of the encryption mechanism. As all 
stream ciphers do, a KEYSTREAM is generated by E, for each incoming data block. Both 
encryption and decryption operations are performed by XORing the input data block with 
the KEYSTREAM. 

The overall encryption mechanism is illustrated in Figure 8.8. The stream cipher Ey is 
based on a cipher key K,, which is generated using an internal key generator (KG) E; as 
follows: 


K, = E3(Ktings EN-RAND, COF), 
where K;,,;, is the 128-bit link key, EN_RAND is a 128-bit random number generated by the 
master device, and ciphering offset (COF) is a 96-bit value. If the current link key is not a 
master key, then the COF is the same as ACO produced in authentication. If the current 


link key is a master key, then the COF is derived from BD_ADDR of the master device as 
follows: 


COF = BD_ADDR||BD_ADDR. 


The stream cipher E, does not take K, as a direct input if its effective key length is less 
than 128 bits. Instead, K. is input to a Constraining Mechanism, which generates a 128-bit 
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Figure 8.8 Encryption mechanism for Bluetooth security modes 2 and 3. 
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key constraint key K{.. The constraining mechanism is applied to meet the restrictions on 
some encryption hardware. Besides K’,, the inputs to E, also include the address of Device 
B BD_ADDR,, the random value EN_RAND, and the current clock value clk. Finally, the 
132-bit KEYSTREAM is computed as follows: 


KEYSTREAM = E,(K?, BD_ADDR,, EN_RAND, clk). 


Once KEYSTREAM is generated, encryption is performed by XORing the plaintext data 
block with the KEYSTREAM as follows: 


CIPHERTEXT = PLAINTEXT @ KEYSTREAM, 


and decryption is performed by XORing the ciphertext data block with the KEYSTREAM 
as follows: 


PLAINTEXT = CIPHERTEXT @ KEYSTREAM. 


All three security services have been illustrated so far. Readers should have a clear view of 
the four security modes defined in Bluetooth standard. The detailed E, and E, algorithms 
will be illustrated in Section 8.4. 


8.3.5. Trust and Security Service Levels 


Besides four security modes, Bluetooth standard also defines two levels of trust and three 
levels of security services. As listed in Table 8.3, the two Bluetooth trust levels are trusted and 
untrusted. A trusted device has a fixed relationship with another device. A trusted device 
shall also have full access to all services of another device. An untrusted device does not 
have a fixed relationship. Thus restricted access is granted to an untrusted device. 

The three levels of security services are listed in Table 8.4. These levels enable 
flexible configurations of security services depending on application requirements. 
Security level 1 requires both authorization and authentication. Security level 2 requires 


Table 8.3 Bluetooth trust levels. 


Policies 
Trusted Fixed relationship and full access 
Untrusted Restricted access to services 


Table 8.4 Bluetooth service levels. 


Security services Policies 
Level 1 Authorization Automatic access is granted only to trusted devices; 
Authentication untrusted devices need manual authorization 
Level 2 Authentication Access to an application is allowed only after 


an authentication procedure 


Level 3 Open Access is granted automatically 
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authentication only. Security level 3 has no security service required. None of the secu- 
rity level requires an encryption. In fact, since encryption has a mode that applies no 
encryption, forcing encryption does not necessarily achieve confidentiality. 


Bluetooth Security Architecture 

The Bluetooth standards define security services, security modes, as well as trust and 
service levels. The overall Bluetooth security architecture allows applications configure 
trust relationships. For example, trusted devices still have restricted access. Because 
Bluetooth security controls operate at the Link layer, and the link layer is transparent to 
the security controls imposed by the application layers [68]. Therefore, more security 
policies can be defined by the security manager, and enforce user-based authentication 
through the application layers. 


8.4 Cryptographic Functions for Security Modes 1, 2, and 3 


Bluetooth security mechanisms are based on a few cryptographic functions [70]. In this 
section, the functions for security modes 1, 2, and 3 are illustrated, including SAFER+, E,, 
E,,, Ey), E;, and Ep. 


8.4.1 SAFER+ 


Functions E,,, E,,, and E, used to generate keys are developed around the core function 
SAFER+. SAFER+ was originally a submission by Cylink Corporation for the advanced 
encryption standard [71]. SAFER+ is based on the SAFER (Secure And Fast Encryption 
Routine) family of ciphers. Similar to the finally selected AES, SAFER-+ is a block cipher 
that operates on 128-bit data blocks. The key size of SAFER+ can be 128-bit, 192-bit, 
and 256-bit. Bluetooth security algorithms are based on the SAFER+ configuration with 
128-bit key [70]. The following illustration of SAFER+ will be given based on the setting of 
128-bit key. 


8.4.1.1 Overview of the SAFER+ Structure 

Figure 8.9 shows the overview of the SAFER+ structure. The SAFER+ is a block cipher 
that has eight rounds. In the encryption structure, each round function takes in the out- 
put of the previous round and two round subkeys. The first encryption round takes in the 
128-bit plaintext. The output of the final encryption round (i.e. round 8) is input to an output 
transformation function, together with one round subkey. The decryption structure follows 
the reverse structure of encryption. The ciphertext is input to an input transformation func- 
tion, together with one round subkey. The output is then input to eight decryption round 
functions. The output of the 8th decryption round is the plaintext. 


8.4.1.2 SAFER+ Round Function 
A SAFER+ round function consists of a Key-Controlled Substitution function and an Invert- 
ible Linear Transformation function. The key-controlled substitution function is shown in 
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Figure 8.9 Overview of the SAFER+ structure. 
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Figure 8.10 Key-controlled substitution. 


Figure 8.10. Let @ denote bitwise modulo-two addition of bytes, and FY denote modulo-256 
addition of bytes. E(-) is a function that computes a value as follows: 


E(x) = (45° mod 257) mod 256. 
L(-) is a function that computes a value as follows: 
L(x) = log,,(x) mod 256. 


The output of the key-controlled substitution is input to the invertible linear transforma- 
tion function, which is show in Figure 8.11. The invertible linear transformation function 
is based on the Pseudo-Hadamard Transform (PHT). As shown in Figure 8.12, the 2-PHT 
follows a “butterfly” structure. the 2-PHT function takes input a and b, and output 2a + b 
and a + b. Mathematically, the 2-PHT operates on the matrix H, in encryption, and the 
inverse matrix Hy ! in decryption as follows: 


| | 


Finally, the byte values go through the Armenian shuffle function, which is the coordinate 
permutation as follows: 9, 12, 13, 16, 3, 2, 7, 6, 11, 10, 15, 14, 1, 8, 5, 4. 
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Figure 8.11 Invertible linear transformation. 
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8.4.1.3 SAFER+ Key Schedule for 128-Bit Key 

Besides the output of the previous encryption round (except for the first round, which takes 
input the plaintext), each SAFER+ encryption round function also takes input a round key. 
There are nine encryption round keys to be generated. Each of the first eight round keys 
consists of two 128-bit round subkeys. The last round key consists of one round subkey. In 
total, the SAFER+ key schedule generates 17 round subkeys. The SAFER+ key schedule is 
illustrated in Figure 8.13. Let K; be the ith round subkey. The input key is appended with a 
parity byte. Then K, is the first 16 bytes of the expanded key, which is the input key. From K, 
to K,,, the expanded key first has a 3-bit left circular shift for each byte. Each round subkey 
K; is generated by adding the first 16 bytes of the expanded key to a bias 


B, = (b,{0], b [1], ...,,[15), i= 2,3,...,17, 
using modulo 256 addition ‘a’. For each subkey K,, the bias vector is defined as follows: 


b,Lj] = [(4s8" mod 257 mod 257) mod 256| , forj=0,...,15. 


8.4.2 Function E;(-) 


In Bluetooth authentication, function E,(-) is applied to generate SRES and ACO. As 
shown in Figure 8.14, the cores of function E,(-) are SAFER+ and a slightly modified 
SAFER-+-. For better illustration, SAFER+ will be denoted by S,, and the modified SAFER+ 
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will be denoted by S’,. The inputs to E,(-) are link key Kj, a random value AU_LRAND 
and BD_ADDR. The 8-byte input key K;,,,,, passes through an offset function and generates 
a 16-byte Kj,_, as follows: 


King lO] = 
Kiingl2] = 
Kinl4] = 
Kiinel6] = 
King 81 = 
King L101 = 
[12] = 
[14] = 


Kin 


Kiin 


(Kjingl0] + 233) mod 256; 
(Kjingl2] + 233) mod 256; 
(Kjingl4] + 179) mod 256; 
(Kjingl6] + 149) mod 256; 
(Kjing{8] ® 233); Kj,,,19] = 


Kin 


(K tingL10] ® 223); Kine(tHl = 
‘gll31 = 
(Kjinl14] ® 149); Ki, [15] = 


(Kjinxl12] © 179); 


Kin 


Kiingl 1) = (Kiinel1] © 229); 
Kin 3] = (Kiinl3] ® 167); 
Kil] = (Kjing 5] B 299); 
Kin 7] = (Kiinkl7] ® 131); 
(Kiingl9] + 229) mod 256; 
(Kjingl11] + 193) mod 256; 
(Kjing(13] + 167) mod 256; 
(Kjinl15] + 131) mod 256. 


Note that L bytes of BD_ADDR are expanded to 16 bytes by a function Expand: 


Expand(X[0, ...,L — 1], L) = (X[i mod L;i =0,...,15]), 
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Figure 8.15 Modified key-controlled substitution for the third round in S’. 


RAND ADDR Figure 8.16 Overview of function £,,(-). 
Y ¥ 
F(RAND) F(ADDR) 
Si 
Ky (or Kp) 


where L = 6in function E,. The final output of E, is the combination of a 4-byte SRES and a 
12-byte ACO. The modification applied in S’, is to add the original input to the third round 
input, as shown in Figure 8.15. 


8.4.3 Function E,,(-) 


Function E,,(-) is to generate the unit key K, or K, with inputs RAND and ADDR. As shown 
in Figure 8.16, the core function of E,,(-) is S',. Taken inputs RAND and ADDR, K, or K, are 
computed as follows: 


K,(or K,) = Ey,(RAND, ADDR) = S’,(F(RAND), F(ADDR)), 
where the 16-byte F(RAND) is computed as follows: 
F(RAND) = RAND[0, ..., 14] U (RAND[15] @ 6), 
where U defines the union operator. The F(ADDR) is computed as follows: 


F(ADDR) = u!3,ADDR{i mod 6]. 


8.4.4 Function E,,(-) 


As shown in Figure 8.17, function E,,(-) is to generate the initial key K,,,;, with Inputs PIN 
and RAND as follows: 


Kinig = Eo(PIN, RAND) = S',(F(PIN',N), F(RAND, N)), 


where F(PIN, N) is generated based on PIN and the length of PIN N. First, a 16-byte PIN’ 
is generated by passing PIN through a constraining function as follows: 


PIN' = PIN(O, ...,N —1] VADDR[O,...,(5,15-—N)"], N < 16 
PIN(O, ...,N — 1], N= 16 
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Figure 8.17 Overview of function PIN PIN’ N RAND 
ee | y , —_ 
CONSTRAIN F(PIN,N) | | F(RAND,N) 
St 
y 
Kinit 
Figure 8.18 Overview of function £,(-). Kink RAND COF 
Vv f ’ 
————_> | Sn Expand 
Vv 
Offset b<«—_ 


Ke 


where (5, 15 — N)~ outputs the smaller value between 5 and (15 — N). It can be seen that if 
N is smaller than 16 bytes, then ADDR is used. If N = 16, then PIN’ = PIN. Once PIN’ is 
generated, F(PIN, N) is computed as follows: 


F(PIN,N) = U}S,PIN'[i mod N]. 
The other input to Si is F(RAND, N), which is generated based on RAND and N as follows: 
F(RAND, N) = RAND[O, ...,14] U (RAND[15] ® N). 


The S‘, function computes final output of E,, that is Kj,ir. 


8.4.5 Function E,(-) 
As shown in Figure 8.18, function E,(-) is to generate the encryption key K, such that 
Ko = E3(Kiings RAND, COF). 


Note that function E,(-) has the same structure as function E,. The difference is that the 
inputs are K;;,,, RAND and COF. And L in function Expand is 12 instead of 6. 


8.4.6 Function E,(-) 


Function E)(-) is the stream cipher for Bluetooth data encryption. The core of E,(-) is built 
around four independent linear feedback registers (LFSRs) and a finite state machine 
(FSM). An overview of function E)(-) is shown in Figure 8.19. The four linear feedback 
registers LFSR,(t) compute x,, for i = 1,2, 3,4. The four LFSRs are each fully characterized 
by the following four feedback polynomials: 


LFSR,(t) = + 0° 41% +241; 
LFSR,(t) = 0 +044 0847 +1; 


172 | 8 Bluetooth Security 


! | & 
0 0 t 
| Mapping 
7 ! | ‘i Uis4 
a 0 
Cr 
Cut —| 
7 St 
LFSR, (1) ——. a 
Pa Ss 
LFSRz (1) |_| 5 | _* -+| mod 2 |» % 
LFSR3(t) ae 
LFSR,(t) am 


Figure 8.19 Overview of function E>. 


LFSR,(t) = t? + (2 + 1% + t4 +1; 

LESRAD HP? 4+ +P ee +1, 
The outputs of the LFSRs are passed through an FSM, which is introduced to add nonlin- 
earity so that finding the initial state is difficult from observing key stream data. At time t, 
the FSM functions as follows: 

S, = Xp +X, + Xz, + Xyp + C,, 
where c, takes on only the values 0, 1, 2, and 3. The c, is updated as t increases from a vector 
C, = (Cy;. Cy,)7. The mapping function is to compute 

C, = 2Cy, + Coy. 


To compute the next c,,,, first find the result of u,,,, where u 


u,,,- Then a vector c,,, is computed as follows: 


if Gey V i i ai 
cam (2 Janne ( 4b 0 c,® 10 Cy: 


Once s, is generated from the FSM, the final output symbol z, is the binary result obtained 
as follows: 


te t41 = LS,/2] is a binary vector 


2, = 8, mod 2 = X,, BX, B Xz, B X4, B (c, mod 2). 


The output of E, is to generate the KEYSTREAM for data encryption and decryption. The 
final issue remains is how to deal with the inputs to E)(-) in the initialization process. 

Initialization of E,: To generate the output for KEYSTREAM, E,(-) takes inputs K?.,, 
EN_RAND, BD_ADDR and clk. The four inputs are used to derive 132-bit initial values, 
where 128 bits are for the LFSRs, and 2 bits each for c_, and cy. The 132-bit initial val- 
ues are derived by generating 200 stream cipher bits using the generator as follows. First 
shift in the three inputs K’, , BD_LADDR, clk bits and the 6-bit constant 113 (208 bits total) 
by initializing the LFSRs: 


8.5 Cryptographic Functions in Security Mode 4 (SSP) 


e Open all LFSR switches. 
e Initial the LFSRs as follows: 


LFSR, : A[2]C[1]K[12]K[8]K[4]K[0]C,,; 
LFSR, : A[3JA[0]K[13]K[9]K[5]K[1]C,[0]001; 
LFSR, : A[4]C[2]K[14]K[10]K[6]K[2]C,.; 
LFSR, : A[5JA[1]K[15]K[11]K[7]K[3]C,,[0]111, 
where C,[0] = C3, C,,C), Cp, and Cy[0] = C7, Cy, C5, C4. 
e Set the initial states of the LFSRs to zero. 
e Start to shift the input bits. 
e Close feedback switch of the four LFSRs after 25, 31, 33, and 39 clock instants, respec- 
tively. 
e Att = 39, set bits Cz, = O and C3. = 0. 
e Continue to shift in remaining inputs bits. 


The process will continue until 200 outputs are produced. Finally, keep c, and c,_, 
and load the last 128 generated bits into the four LFSRs. The last 128 bits are the initial 
values of the LFSRs. They are fed back into the LFSRs to generate KEYSTREAM bits. 
The final state of c, and c,_, are initial values for c_, and cy. Once initialized, E, is ready 
to generate KEYSTREAM bits for data block encryption/decryption. 


8.5 Cryptographic Functions in Security Mode 4 (SSP) 


Bluetooth security mode 4 applies SSP to generate link key for authentication. SSP includes 
functions that are different from those for security modes 1, 2, and 3. The functions used in 
SSP includes P,,(-), i), g¢), 6C), and f,(-). Each will be discussed in this section. 


8.5.1 Function P,,,(-) 
Function P,,,(-) is the elliptic curve used to generate K,,, [72]. The elliptic curve E specified 
in P,9)(-) is as follows: 

E:y?+ax+b mod p, 


where p is a prime modulus with order r, base point x-coordinate G,, and base point 
y-coordinate G,; a= mod (-3,p); and b is a defined number. The parameters set for the 
elliptic curve used in P,, are as follows: 


P = 6277101735386680763835789423207666416083908700390324961279; 

¥ = 6277101735386680763835789423176059013767194773182842284081; 

b = 64210519 E59C80E7 OFA7E9AB 72243049 FEB8DEEC C146B9B1; 
G,, = 188DA80E B03090F6 7CBF20EB 43A18800 F4FFOAFD 82FF1012; 
G, = 07192B95 FFC8DA78 631011ED 6B24CDD5 73F977A1 1£794811. 


With a given curve E, P,9,(u, V) is computed as the x-coordinate of the uth multiple uV of 
the point V. 
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8.5.2 Function f,(-) 


In SSP, function f, (-) is to compute the commitments. The function makes use of the HMAC 
based SHA-256 with 128-bit key X. For better illustration of the function, let the inputs to 
f, © be 192-bit U, 192-bit V, 128-bit X, and 8-bit Z, then the output of f,(-) is: 


f,(U,V,X,Z) = HMAC-SHA-256y(U||V||Z)/2)8, 
which returns the most significant 128 bits of the hash value. Readers shall map the actual 
inputs that are used in SSP. Note that for Numeric Comparison and OOP protocols, Z = 0. 


For the Passkey protocol, the most significant bit of Z is set to one and the least significant 
bit is from one bit of the passkey. 


8.5.3. Function g(-) 


Function g(-) uses the hash function SHA-256 to compute the output and applies the least 
significant 32 bits as the output of g(-). Let the four inputs be 192-bit U, 192-bit V, 128-bit 
X, and 8-bit Y, then the output of g is: 


g(U, V,X, Y) = SHA-256(U||V||X||Y) mod 2”. 


The checksum used for the numeric comparison protocol is the least significant 6 digits (in 
decimal), i.e. g(U, V,X, Y) mod 10°. 


8.5.3.1 Function f,(-) 

Function f, is the final step to generate the link key in SSP. Similar to f,(-), function f, also 
uses the HMAC based SHA-256, with 192-bit key W. Let the inputs to f, be 192-bit W, 
128-bit U, 128-bit V, 32-bit X, 48-bit Y, and 48-bit Z, then the output of f, is: 


f,(W,U,V,X,Y,Z) = HMAC-SHA-256,,(U||V||X||¥ |Z) /2'78 


which returns the most significant 128 bits of the hash value as the link key. 


8.5.3.2 Function f,(-) 

Function f,(-) also uses the HMAC based SHA-256, with a 192-bit key W. Let the inputs to 
f, be 192-bit W, 128-bit N, 128-bit U, 128-bit V, 16-bit X, 48-bit Y, and 48-bit Z, then the 
output of f, is: 


f,(W,N,U,V,X, Y,Z) = HMAC-SHA-256,,(N||U||V [XY ||Z)/2'78 


where the most significant 128 bits of the hash value are the output of f,(-), i.e. E, or E,. 


8.6 Summary 


Bluetooth security is discussed in this chapter. Bluetooth standard specifies authentication, 
authorization, and confidentiality for securing data transmission. Four different security 
modes are provided to fit various Bluetooth transmission requirements. Besides security 
modes, Bluetooth standard also defines two trust levels and three service levels so that 
flexible configurations of security services can be designed in security policies. Bluetooth 
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specifications have provided security features; however they do not guarantee secure 
Bluetooth connections from all adversary penetrations. An adequate level of knowledge 
and understanding must be provided for Bluetooth users. For example, a user shall not 
respond to suspicious Bluetooth messages or connection requests. The standard passkey 
must be avoided in Bluetooth connection. If using Bluetooth technology in an organization, 
security policies must be established to address the use of Bluetooth-enabled devices and 
users’ responsibilities. 
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Zigbee Security 


Zigbee is a wireless personal area network protocol designed to supply wireless communi- 
cations at low cost and low power requirements. It is one of the promising communication 
technologies to support wireless sensor networks and Internet of things (IoTs). In this 
chapter, the security of Zigbee will be studied. 


9.1 Introduction to Zigbee 


9.1.1 Overview of Zigbee 


Zigbee is a wireless personal area network (WPAN) protocol based on the IEEE 802.15.4 
standard [73]. Zigbee specification defines a simpler and less expensive technology than 
other WPANSs, such as Bluetooth or ad-hoc Wi-Fi, thus making Zigbee a perfect candidate 
for short-range low-rate wireless data transmission, such as wireless light switches, in-home 
electrical meters, traffic management systems, and other equipment [74, 75]. The IEEE 
802.15.4 standard defines Zigbee to operate at the industrial, scientific, and medical (ISM) 
frequency bands (e.g. 2.4 GHz in most jurisdictions worldwide). An overview of the IEEE 
802.15.4 protocol stack is shown in Figure 9.1. The IEEE standard defines the lower level 
device layers, i.e. the physical layer (PHY) and the media access control layer (MAC). 

The PHY manages physical radio frequency (RF) transceiver and resource allocation, 
including channel selection, energy and signal management, etc. IEEE 802.15.4 standard 
defines Zigbee PHY to operate on one of the three possible unlicensed frequency bands, 
as shown in Table 9.1. The standard defines channels with 5 MHz each. The low power 
consumption of Zigbee limits transmission distances from 10 to 100 m line-of-sight, depend- 
ing on power output and environmental characteristics [76]. The basic framework sup- 
ports a 10-m communications range with a maximum theoretical data rate of 250 kbps. 
The MAC manages access to the physical channel and network beaconing. The IEEE stan- 
dard defines collision avoidance through carrier sense multiple access-collision avoidance 
(CSMA/CA) and beacon-enabled networking. The IEEE 802.15.4 standard does not use 
standard Ethernet frames defined in IEEE 802.1D or IEEE 802.1Q. IEEE 802.15.4 PHYs only 
support frames of up to 127 bytes. An end device usually carries limited 802.15.4 function- 
ality to reduce cost and complexity. Zigbee devices can transmit data over long distances by 
passing data through a mesh network of intermediate devices to reach more distant ones. 


Security in Wireless Communication Networks, First Edition. Yi Qian, Feng Ye, and Hsiao-Hwa Chen. 
© 2022 John Wiley & Sons Ltd. Published 2022 by John Wiley & Sons Ltd. 
Companion website: www.wiley.com/go/qian/sec51 
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Figure 9.1 Overview of the Zigbee protocol stack. 


Table 9.1 Zigbee operating frequency bands. 


Frequency bands Number of channels Supporting areas 
868.0-868.6 MHz §One communication channel Europe 

902-928 MHz 10 channels (2003), extended to 30 (2006) North America 
2400-2483.5MHz Upto 16 channels Worldwide 


O Network coordinator O Router O End device 


Star Mesh 


Figure 9.2 Zigbee network topologies. 


Other higher-level layers and interoperability sublayers are not defined in IEEE 802.15.4 
specification. The upper layers of Zigbee are standardized through the use the Zigbee stan- 
dard as defined by the Zigbee Alliance. Zigbee network layer supports the formation of both 
star and mesh (or peer-to-peer) topologies, as shown in Figure 9.2. The network coordinator 
maintains overall network knowledge; a router carries full 802.15.4 functionality. 


9.1.2 Security Threats Against Zigbee 


IEEE 802.15.4 specification was designed with security supported in the MAC layer. Zigbee 
specification further designed security in upper layers in addition to the IEEE specification. 


9.2 IEEE 802.15.4 Security Features 


However, security is occasionally not well implemented by developers. The possible attacks 
against Zigbee applications can generally be classified into three categories: physical, key, 
and replay/injection. 


e Physical attacks: In practice, many radios residing on Zigbee network employ a 
hard-coded encryption key. The encryption key is loaded in the memory once the device 
is powered on. With physical access to a Zigbee device, an attacker may use various 
low-cost and open source tools to exploit the hard-coded encryption key, for example, 
by intercepting the encryption key moved from flash to memory during power up. Once 
the hard-coded encryption key is revealed to an attacker, security of the entire Zigbee 
network is potentially compromised. The attacker could intercept and alter data that is 
on this network. 

e Key attacks: Key attacks are usually launched remotely. Zigbee applies over the air key 
delivery in some applications. In this case, an attacker may deploy a device that mimics 
a Zigbee node in the network and picks the transmissions exchanged among legitimate 
devices. Captured packets can be analyzed or decrypted off-line afterwards. Due to the 
nature of passive attacks, it is almost impossible to detect disclosure of packets. Even 
worse, attackers may equip with better devices that can extend the range of Zigbee 
coverage to stay further away. 

e Replay and injection attacks: These attacks aim to dupe Zigbee devices to executing unau- 
thorized actions, which may consume a lot of resources or even interrupt communica- 
tions. Zigbee devices are particularly vulnerable to replay attacks since they are equipped 
with a lightweight design of the protocol with weak replay protection. 


9.2 IEEE 802.15.4 Security Features 


Zigbee and other IEEE 802.15.4 based WPANS are vulnerable to a number of security threats 
and attacks. The IEEE 802.15.4 specification provides security services as data confidential- 
ity, message integrity, and protection to replay attacks. The IEEE 802.15.4 security layer is 
handled at the MAC layer, below application control. An application must explicitly enable 
security, otherwise security is not enabled by default. IEEE 802.15.4 defines four packet 
types for the MAC layer: beacon packets, data packets, acknowledgments packets, and con- 
trol packets. The specification does not support security for acknowledgment packets. Other 
packet types can optionally support integrity protection and confidentiality protection for 
the data field of a packet [77]. 


9.2.1 Security Levels 


The IEEE 802.15.4 specification introduces procedures and mechanisms for protecting 
MAC frames, through symmetric-key cryptography techniques based on the AES-CCM 
algorithm [78]. In particular, the IEEE 802.15.4 specification defines eight security levels 
to protect the frame generated at the MAC layer, as listed in Table 9.2. 

The eight security levels can be broadly classified into no security, data authenticity only, 
data confidentiality only, data confidentiality, and data authenticity. Security level 0 pro- 
vides no security, which is set by default. Security levels 1 to 3 are based on AES-CBC-MAC 
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Table 9.2 Security suites supported by IEEE 802.15.4. 


Security Security Data Data MIC Replay 
level attributes confidentiality authenticity length detection 
0 (000) Null OFF NO 0 YES 

1 (001) MIC-32 OFF YES 4 YES 

2 (010) MIC-64 OFF YES 8 YES 

3 (011) MIC-128 OFF YES 16 YES 

4 (100) AES-CTR ON NO 0 YES 

5 (101) ENC-MIC-32 ON YES 4 YES 

6 (110) ENC-MIC-64 ON YES 8 YES 

7 (411) ENC-MIC-128 ON YES 16 YES 


that provides data authenticity only. Security level 4 is based on AES-CTR that provides 
data confidentiality only. Security levels 5 to 7 are based on AES-CCM that provides both 
data confidentiality and data authenticity. Each category that supports data authenticity 
comes in three variants with different message integrity code (MIC) sizes. The MIC can be 
either 4, 8, or 16 bytes long, depending on security levels. A longer MIC increases protec- 
tion against authenticity attacks, with the trade-off of a larger packet size. For each security 
level that offers data confidentiality, the recipient can optionally enable replay protection. 
IEEE 802.15.4 specification only requires radio chips to support Null and the ENC-MIC-64 
security levels. 


9.2.2 IEEE 802.15.4 Frame Structure 


IEEE 802.15.4 specification defines a MAC layer data packet as shown in Figure 9.3. Each 
data packet has variable length and is used by a node to send a message to a single node 


Octets: 2 dl 0/2 0/2/8 0/2 0/2/8 0-14 Variable 2 
Frame |Sequence|] Destination} Destination] Source | Source ae Frame MAC] ECS 
control | number PAN ID address | PAN ID | address aaalt: payload 


Octets: 1 o2i8 [| 04 [1 


Bit: 3-4 
Security Key ID Frame F 
evel ade Reserved aounier Key source] Key index 
J \ ) 
Security control header Key identifier field 


Figure 9.3. IEEE 802.15.4 MAC frame format. 


9.2 IEEE 802.15.4 Security Features 


or to broadcast a message to multiple nodes. A MAC frame is composed of a MAC header 
(7-23 bytes), a MAC payload (0-118 bytes), and a frame check sequence (FCS) footer 
(2 bytes). The FCS footer is a 16-bit cyclic redundancy check value. Each data packet has 
a flag field that indicates i) if security is enabled; ii) which addressing modes are in use; 
and iii) whether the sender requests an acknowledgment. If the security enabled flag 
of the frame control field is set to 0, then no security is provided. If the flag is set to 1, then 
one of the other seven security levels is applied. Security parameters are included within 
the auxiliary security header (ASH) field. The ASH field is a 5-14 bytes data structure 
composed of three fields as follows [73, 79]: 


e The Security control header (1 byte): It specifies the security level (3 bits) and the key iden- 
tifier mode (2 bits). 

e The frame counter (4 bytes): It is to protect against replay attacks. 

e The key identifier field (0-9 bytes): It contains key source (0/4/8 bytes) and key index 
(1 byte), which are needed to determine the key for the encryption. The key identifier 
field is optional. 


The ASH is transmitted in clear text with authentication provided. The key identifier 
mode field is an unsigned integer that indicates whether the key can be derived implic- 
itly or explicitly. Furthermore, it is used to indicate the particular representations of the 
key identifier field, if the key is derived explicitly. Values of the key identifier mode field 
(listed as mode) and key identifier field length field (listed as length) shall be set according 
to Table 9.3. 

The formatting of the data field for the three main security categories is shown 
in Figure 9.4. When AES-CTR is applied, only the MAC payload is encrypted. When 
authentication is applied without confidentiality, the entire MAC header, ASH, and MAC 
payload are input to AES-CBC-MAC to generate a MIC. When both confidentiality 
and authentication are required, then the MIC is first generated with the inputs of MAC 
header, ASH, and MAC payload. Then the MAC payload and MIC are encrypted. 


Table 9.3. Values of the key identifier mode field. 


Mode Description Length 


00 Key is determined implicitly from 0 
the originator and recipient(s) of the 
frame as indicated in the frame header 


01 Key is determined from the Key Index 1 
field 

10 Key is determined explicitly from 5 
the 4-octet key source field and the 
key index field 

nBE Key is determined explicitly from 9 


the 8-octet key source field and the 
key index field 
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AES - CTR security level 


MAC header Auxiliary security header | MAC payload | FCS 
Encrypted 
MIC — 32/64/128 security level 
MAC header Auxiliary security header | MAC payload | MIC | FCS 
l 
Authenticated 
; Encrypted 
ENC — MIC — 32/64/128 security level 
MAC header Auxiliary security header | MAC ad) MIC | FCS 
I 
Authenticated 


Figure 9.4 The formatting of the data field for the three main security categories. 


9.3 Zigbee Upper Layer Security 


Besides PHY and MAC layers, Zigbee specification implements two extra security layers at 
the network layer and the application layer. More specifically, it is the application support 
sublayer, which is a sub layer of the application layer, as shown in Figure 9.1. The Zigbee 
standard implemented complex security measures to ensure key establishment, secure 
networks, key transport, and frame security at both network and application support 
sublayers [80]. The Zigbee requires all protocol stack layers trust each other, thus each 
layer is responsible for the security of their respective frames. 


9.3.1 Zigbee Security Models 


Zigbee standard offers both distributed and centralized network architectures and corre- 
sponding security models to satisfy a wide range of applications. In order to ensure the 
optimal balance the security, ease of use, cost, and battery life with different network 
requirements, the two network architectures have different approaches in admitting new 
devices into the network and protecting messages on the network. 


e The Distributed Security Model: This model is more appropriate for easier-to-configure 
Zigbee network systems. Such a distributed security model comprises of routers and end 
devices. If a Zigbee router detects an existing network when it is powered up, it may join 
the secure network. Otherwise, a Zigbee router can form a distributed secure network 
and start to issue network security keys. Other Zigbee routers and end devices will detect 
the secure network and join it by receiving the keys from the Zigbee network initiator. In 
a distributed Zigbee network, any router can issue network security keys. 


9.3 Zigbee Upper Layer Security 


e The Centralized Security Model: This model is more appropriate for Zigbee network sys- 
tems that require higher security. In addition to routers and end devices, a centralized 
security model includes a trust center. A trust center is typically the network coordinator 
or a dedicated device that forms a centralized network. It is responsible for authentication 
and validation of each Zigbee device, which attempts to join the network. In a centralized 
Zigbee network, only the trust center can issue network security keys. The trust center 
also establishes a unique master key for each device on the network and link keys for 
each pair of devices as requested. 


9.3.2 Security Keys in Zigbee 


Since all Zigbee security policies rely on the same AES encryption algorithm, the 802.15.4 
based hardware architecture deployed for the MAC layer is still valid. Including MAC layer, 
Zigbee standard applies three different kinds of keys to provide security in different layers. 
The keys used in Zigbee security are master, link, and network keys. 


e Master keys: They are the keys pre-installed in each Zigbee device when manufacturing. 
A master key secures the link keys exchange between two nodes in the Key establishment 
procedure. 

e Link keys: They are unique keys set for each pair of Zigbee nodes. Link keys are managed 
at the application support sublayer. They are used to encrypt data traffic between each 
pair of Zigbee nodes. Therefore, more memory resources are needed in each device if 
link keys are required. 

e Network key: It is a unique 128-bit key shared among all the Zigbee devices in the 
network. The network key is generated by the trust center and regenerated at different 
intervals. Each Zigbee node must receive the network key in order to join the network. 
Once the trust center decides to update the network key, the new one is spread through 
the network using the old network key. Once this new key is updated in a device, its frame 
counter is initialized to zero. 


Each pair of devices has both network key and link key, where only the link key is always 
used for better security. In a centralized security model with a trust center involved, there 
are two kinds of security policies, residential mode and commercial mode [81]. In the res- 
idential mode, a trust center issues the network key to the routers and end devices in the 
Zigbee network, as shown in Figure 9.5. This mode is normally chosen for wireless sensor 
networks, where the Zigbee nodes are embedded devices with limited resources. 

In the commercial mode, a trust center issues all three types of keys for devices in the 
network, as shown in Figure 9.6. Besides the network key for all Zigbee devices, the trust 


Trust center 


Network key 


Figure 9.5 Trust center in Zigbee residential security mode. 
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Figure 9.6 Trust center in Zigbee commercial security mode. 


center also issues a master key and a link key for each pair of Zigbee devices (including the 
trust center itself) in the network. For example, between the trust center n, and node 1 n, 
there exists a master key K,,(C, 1), a link key K,(C, 1), and the network key K,,. Similarly, 
between nodes 1 and 2 there exists a master key K,,(1, 2), alink key K, (1, 2), and the network 
key Ky. 


9.3.3 Zigbee Network Layer Security 


To protect a secure centralized network, Zigbee standard defines install codes at the network 
level to authenticate devices. An install code is a 128-bit unique code generated randomly 
for a new Zigbee device. To join a centralized secure network, the trust center will verify 
if the install code matches a code that is previously entered into the trust center without 
using a Zigbee message. For example, the install code may be printed in the packaging of 
the Zigbee device. The user can scan or manually enter the code into the trust center, or 
through a device (e.g. smart phone) that is connected to the trust center. Once the Zigbee 
device joins the secure network, the trust center derives a unique 128-bit link key from the 
install code using the Matyas-Meyer—Oseas (MMO) hash function [82]. 

Zigbee standard defines the same security environment at the network level for all Zig- 
bee devices. Similar to the MAC layer security, Zigbee provides confidentiality and data 
authentication in the network layer by encrypting the transmitted frames with AES-CCM. 
AES-CCM is an authenticated encryption algorithm that combines both the counter mode 
of encryption and CBC-MAC mode of authentication. The key applied to the AES-CCM 
is the 128-bit network key, which is shared among all Zigbee devices in the network. In a 
centralized Zigbee network, the trust center usually generates and stores multiple network 
keys, where only one of the keys is the active network key. The initial network key is dis- 
tributed to a Zigbee network via key-transport or pre-installation. An updated network key 
is usually encrypted with the link key and sent to each Zigbee device. 


9.3.4 Zigbee Application Support Layer Security 


Zigbee standard defines a secured link between each pair of Zigbee devices at the appli- 
cation support layer so that virtual private links can be supported between each pair of 


9.3 Zigbee Upper Layer Security 


devices in the network. If security is provided for broadcast communications with the net- 
work key, the application support layer simply passed the encrypted frames to the network 
layer. If security is required for unicast communications, the frames are encrypted with 
link keys at the application support layer. A 128-bit link key is shared only between a pair 
of Zigbee devices in the network. The application support layer is also responsible for pro- 
viding applications and the Zigbee device object with key establishment, key transport, and 
device management services. For example, in a smart home enabled with Zigbee network, 
all devices are connected in the same centralized network secured at the network level. 
Therefore communications in the network are protected from outsiders (e.g. neighbors). 
The application support layer security provides additional capability of protecting commu- 
nications between two devices (e.g. a smart phone and a smart light) from others that are in 
the same network. The use of link key also limits the ability of an attacker that acquires the 
network key from intercepting or injecting messages that other devices would act upon. 


9.3.5 Other Security Features in Zigbee 


Besides the security definition in network layer and application support sublayer, Zigbee 
provides other security features. One of them is the usage of application profiles. Applica- 
tion profiles are agreements for messages, message formats, and processing actions that 
enable developers to create an inter-operable application with separate devices. Multiple 
application profiles can be created to allow devices of different vendors to properly and 
securely communicate with each other. 

Another security feature is the over-the-air (OTA) updates defined for Zigbee applications. 
OTA updates allow a manufacturer to add new features, fix defects in its product, and apply 
security patches as new threats are identified. However, OTA updates also represent a poten- 
tial security vulnerability if the protocol does not provide ample protections, or the device 
manufacturer does not use all available safeguards. As shown in Figure 9.7, Zigbee devices 
and associated silicon platforms provide multi-layered security to update devices in the field 
and assure that updated code images have not been modified maliciously. The OTA image 
may be encrypted during manufacturing so that only the end product contains the key to 
decrypt it. The OTA image may also be stored in on-chip memory that is configured with 
the debug read-back feature disabled preventing reverse engineering with standard debug 
tools, which is a common vulnerability of other solutions. Zigbee specification provides a 
method to encrypt all image transfers over the air with a unique key, e.g. k,. The standard 
also provides a method to sign the OTA image with another unique key, e.g. k,. 


Manufacturer ky Zigbee 
i specification 
F Encryption Encryotion 
OTA image (optional) r——| ryp 
k Output to Zigbee 
f Or applications 
Stored in on-chip memory with Digital 
debug read-back disabled (optional) signature 


Figure 9.7 Security in Zigbee OTA updates. 
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Figure 9.8 Zigbee frequency agility operation. 


Zigbee standard also supports frequency agility, which enables a Zigbee network to switch 
operating channel. Frequency agility also improves the security of a Zigbee network against 
replay attacks. As shown in Figure 9.8 , frequency agility is conducted in three phases: 


e Interference detection: In this phase, the Zigbee coordinator monitors the packet error 
rate (PER), i.e. the ratio of unsuccessful packets to the total number of packets sent. If 
the PER is greater than 25% with a minimum of 20 packets sent, then interference is 
confirmed. 

e Channel evaluation: In this phase, the Zigbee coordinator scans all the channels to deter- 
mine if the current channel has the highest energy. 

e Interference mitigation: In this phase, the Zigbee coordinator reports to the network chan- 
nel manager, which decides if a channel switch shall be conducted. If so, the decision is 
broadcast to all Zigbee nodes in the network. 


9.4 Security-Related MAC PIB Attributes 


9.4 Security-Related MAC PIB Attributes 


The IEEE 802.15.4 standard defines the PAN information base (PIB) security-related 
attributes to serve multiple purposes. For example, some attributes determines the key 
for the encryption and decryption functionalities implemented within the outgoing 
frame security and the incoming frame security procedures. The configuration of the 
security-related attributes is a complex task but allows great flexibility in the use of the 
media access control security for various Zigbee application needs. 

The security-related attributes defined in IEEE 802.15.4 specification are described in 
Table 9.4. In the secKeyIdLookupList, the secKeyIdLookupDescriptors contains: 


LookupDescriptor. 


secKeyIdMode: the mode used for this descriptor. 

secKeySource: the originator of the key. 

secKeyIndex: information used to identify the key. 

secKeyDeviceAddrMode: the addressing mode for this descriptor. 

secKeyDevicePanlId: the PAN ID for this descriptor. 

secKeyDeviceAddress: the address for this descriptor. 

secKeyDescriptor: an secKeyDescriptor associated with the parameters in this secKeyId- 


Table 9.4 The PIB security-related attributes. 


PIB security-related attributes 


secKeyIdLookupList 


secDeviceList 


secSecurityLevelList 


secFrameCounter 


secAutoRequestSecurityLevel 
secAutoRequestKeyIdMode 
secAutoRequestKeySource 


secAutoRequestKeyIndex 


Description 


A list of secKeyIdLookupDescriptors containing keys and 
security policy information that are useful for protecting 
an MAC frame 


A list of device information (i.e. secDeviceDescriptors) for 
each remote device with which this device securely 
communicates. Each of them contains the PAN ID, short 
MAC address, extended MAC addresses, as well as the 
counter of the latest packet received from the remote 
device and a boolean flag indicating if the considered 
node may override the minimum security level settings 


A list of secSecurityLevelDescriptors that provides 
information about the minimal expected/required 
security level and the set of allowed security levels for 
each MAC frame type and subtype 


The outgoing frame counter for this device to be used for 
keys which do not have secFrameCounterPerKey set to 
TRUE 


The security level used for automatic data requests 
The key identifier mode used for automatic data requests 


The originator of the key used for automatic data 
requests 


the index of the key used for automatic data requests 
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In the secDeviceList, the secDeviceDescriptors contains: 


secPanId: the PAN ID of the device in this DeviceDescriptor. 

secShortAddress: the short address of the device in this DeviceDescriptor. 

secExtAddress: the extended IEEE address of the device. 

secExempt: indication of whether the device may override the minimum security level 
settings. 

e secDeviceMinFrameCounter: The smallest frame counter allowed to be sent by the other 
device for this key. 


With the security-related attributes defined, a node that intends to secure a packet shall 
execute the outgoing frame security procedure in the following steps: 


(1) identify the security level that has to be applied to the current MAC frame; 

(2) check if the frame size is acceptable (i.e. 127 bytes maximum); 

(3) identify the key to use during the encryption process; 

(4) protect the MAC payload according to the selected security level, by using the corre- 
sponding algorithm; 

(5) create the auxiliary security control field and include it within the protected frame; 

(6) generate the FCS; 

(7) reassemble the whole packet. 


When a device receives an MAC frame, it should verify if it has been protected by the 
sender (i.e. if the security enabled flag is set to 1). In affirmative case, it will run the incoming 
frame security procedure with the following operations: 


(1) verify the packet integrity through the check of the FCS; 

(2) identify the key to exploit during decryption process; 

(3) verify that the Security Level chosen by the sender is allowed for the message the packet 
contains; 

(4) decrypt the payload; 

(5) verify that all security constraints; 

(6) deliver the message to the upper layer. 


9.5 Mechanisms Used in Zigbee Security 


Zigbee security applies AES-CTR for confidentiality, AES-CBC-MAC for data authentica- 
tion, and AES-CCM for both confidentiality and data authentication at all the three layers, 
MAC layer, network layer, and application support sublayer. Zigbee also applies MMO hash 
function for link key generation. 


9.5.1 AES-CTR 


AES-CTR mode is a technique for encryption from a block cipher (i.e. AES in counter 
mode), as shown in Figure 9.9. To encrypt a plaintext, a nonce and a counter value CTR 
are first input to an AES encryption operation. The plaintext is then XORed to the out- 
put of the operation to generate the ciphertext. Note that the block operation is the same 
for decryption, i.e. only AES encryption is applied to the function. 
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Figure 9.10 Overview of the AES-CBC-MAC mode. 


9.5.2 AES-CBC-MAC 


AES-CBC-MAC is a technique for constructing a message authentication code from a block 
cipher (i.e. AES in CBC mode), as shown in Figure 9.10. Note that the acronym MAC in 
AES-CBC-MAC stands for message authentication code. It should not be confused from 
the acronym MAC, which is defined as media access control in this chapter, while MIC is 
defined for the purpose of message integration (authentication) code. Zigbee security may 
choose 32, 64, or 128 bits from the 128-bit result. 


9.5.3 Overview of the AES-CCM 


AES-CCM mode is the mixture of AES-CTR mode and AES-CBC-MAC mode, as shown in 
Figure 9.11. A MIC is first generated using the AES-CBC-MAC mode. The plaintext and the 
MIC are encrypted using the AES-CTR mode after that. 


9.5.4 Nonces Applied to the Security Mechanisms 


In the security mechanisms described before, nonces are set differently for the Time-Slotted 
Channel Hopping (TSCH) mode and non-TSCH mode. For non-TSCH mode, the nonce is 
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Figure 9.11 Overview of the AES-CCM mode. 
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Figure 9.12 Nonce for non-TSCH mode. 
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Figure 9.14 Source address field for TSCH mode with short addressing. 


formatted as shown in Figure 9.12. The source address field is set to the extended address of 
the device originating the frame. The frame counter field is set to the value of the respective 
field in the ASH. The nonce security level field is an unsigned integer that is set to the value 
of the security level of the security control field. 

For TSCH mode, the nonce is formatted as shown in Figure 9.13. The source address field 
can be set to the extended address of the device originating the frame, or be formatted as 
shown in Figure 9.14. The IEEE 802.15.4 CID field contains the CID for IEEE 802.15.4. The 
PAN ID field contains the PAN ID. The short address field contains the short address of the 
device originating the frame. If short addresses are used in the nonce, then the coordinator 
must ensure the uniqueness of each short address. 

The nonce for fragment frames is formatted as shown in Figure 9.15. Besides the source 
address security level fields, a nonce for fragment frames requires a PSDU counter and a 
fragment number to identify the fragment. The fragment indicator is set to one for this 
nonce. 


9.5.5 Matyas—-Meyer-Oseas Hash Function 


MMO hash function is a single-block-length one-way compression function [82]. As shown 
in Figure 9.16, MMO hash function takes input the message m, as the plaintext to be 
encrypted; and g(H;_,) as the key for encryption. H,_, is the hash value generated from 
the previous message and g(-) is a function that generates the key. The output ciphertext 
is then XORed with the same message block m, to produce the next hash value H;. In 
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9.6 Summary 


The Zigbee security is discussed in this chapter. The MAC layer security defined by the IEEE 
802.15.4 standard is extended by Zigbee standard in network layer and application sup- 
port sublayer. Due to the nature of symmetric-key cryptographic mechanisms, the level of 
security provided by the Zigbee security architecture depends on the safekeeping of the sym- 
metric keys, on the protection mechanisms employed, and on the proper implementation 
of the cryptographic mechanisms and associated security policies involved. Therefore, the 
Zigbee security is based on the assumption that keys are securely stored and distributed. In 
practice, security provided by Zigbee standard is not enough. For example, ifa Zigbee device 
joins a network, the key may be sent unprotected. Despite its short time frame, a potential 
key interception may happen. Another vulnerability to Zigbee is the low-cost nature of some 
types of Zigbee devices. An attacker may get physical access to such a device and extract the 
secret keying material as well as other privilege information. Zigbee has a great potential to 
be deployed in wireless sensor networks and Internet of things. Security must be carefully 
considered to provide those applications. 
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Traditional automatic identification and data capture (AIDC) technologies such as bar 
codes and quick response (QR) code use dedicated optical scanners and smart phone 
cameras to read labels. Radio-frequency identification (RFID) is a technological advance- 
ment in AIDC that support communications without optical line of sight and less human 
involvement in the identification process [83]. In this chapter, the security of RFID is 
introduced. 


10.1 Introduction to RFID 


10.1.1 Overview of RFID Subsystems 


An RFID subsystem consists of two types of components, RFID tags and RFID readers [83], 
as shown in Figure 10.1. RFID tags, also known as transponders, are small electronic devices 
embedded in objects. Each RFID tag has a unique identifier (UID) and may also have other 
features such as memory to store additional data and security. The primary function ofa tag 
is to provide an identifier to an RFID reader. RFID readers are devices that identify items 
associated with RFID tags. Both the RFID tag and the RFID reader are two-way radios that 
are capable of modulating and demodulating radio signals. Most RFID systems also contain 
an enterprise subsystem that makes the data acquired from RFID subsystem transactions 
useful to a supported business process. Each RFID tag has a UID. The Electronic Prod- 
uct Code (EPC) developed by the industry group EPCglobal is widely used across many 
industry sectors as the tag identifier. The EPC tag identifier format consists of four data 
fields, Header, EPC Manager ID, Object Class, and Serial Number. The Header specifies the 
EPC type. The EPC Manager ID identifies the organization that assigns the object class and 
serial number. The Object Class identifies a class of object. The Serial Number describes the 
specific instance of that class of objects. 


10.1.2 Types of RFID Tags 


There are different types of RFID tags in terms of the cost, size, performance, and security 
mechanisms. Based on the power source, RFID tags are categorized into passive, active, 
semi-active, and semi-passive. 


Security in Wireless Communication Networks, First Edition. Yi Qian, Feng Ye, and Hsiao-Hwa Chen. 
© 2022 John Wiley & Sons Ltd. Published 2022 by John Wiley & Sons Ltd. 
Companion website: www.wiley.com/go/qian/sec51 
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e Passive tag: A passive tag is powered by the electromagnetic energy from the transmission 
of a reader. Due to the limited power, a passive tag can only support lightweight data 
processing and has short operating range. Nonetheless, passive tags are usually cheaper 
and smaller than other types of tags. 

e Active tag: An active tag is powered by an internal battery for communications and other 
functions. As a result, active tags can communicate over greater distance than other types 
of tags. However, active tags are usually more expensive and larger. 

e Semi-active tag: A semi-active tag is also powered by an internal battery, similar to an 
active tag. In comparison, a semi-active tag only wakes up when it receives a signal from 
the reader. Otherwise, it remains dormant. As a result, semi-active tags generally have 
longer battery life. 

e Semi-passive tag: A semi-passive tag has an internal battery. However, the battery 
only powers the on-board circuitry while not producing return signals. As a result, 
semi-passive tags are usually cheaper and smaller than active tags, whereas supporting 
more functionalities than passive tags. 


10.1.3 RFID Transactions 


RFID transactions can be initiated by either tags or readers, defined as reader talks first 
(RTF), or tag talks first (TTF). In an RTF transaction, the reader broadcasts a signal. The 
tags that receive the signal may then respond and continue transactions with the reader. 
In a TTF transaction, a passive tag initiates a transaction as soon as it gets power from 
the reader’s signal. An active tag in a TTF transaction transmits periodically as long as its 
power supply lasts. In most RFID subsystems, readers and tags operate using only RTF or 
TTF transactions, not both types. Security wise, an active tag in a TTF transaction can be 
more vulnerable to eavesdropping as the attacker has no need to send signals. 


10.1.4 RFID Frequency Bands 


RFID systems may operate in different radio frequencies, ranging from low frequency (LF), 
high frequency (HF), ultra-high frequency (UHF), and microwave frequency [84]. The 
radio frequencies at which a tag transmits and receives signals have implications for tag 
performance characteristics, including operating range, and RFID data transfer rate [85]. 
An overview of the characteristics of each RFID frequency band is shown in Table 10.1. 


10.2 Security Attacks, Risks, and Objectives of RFID Systems 


Table 10.1 RFID frequency bands. 


LF HF UHF Microwave 
Frequency 30-300 KHz 3-30 MHz 300-1000 MHz 2-30 GHz 
RFID RF 125-134 KHz 13.56 MHz 433 MHz (active) 2.45/5.8 GHz 
865-956 MHz 
Data rate <1 Kbps =~ 25 Kbps = 30 Kbps Up to 100 Kbps 
Applications Access control, Smart card, Logistics case/pallet Railroad car 
animal tagging, contact-less access tracking, baggage monitoring, 
inventory control, and security, item handling automated toll 
vehicle immobilizer _ level tracking collection 


10.2 Security Attacks, Risks, and Objectives of RFID Systems 


10.2.1 Security Attacks to RFID Systems 


RFID systems are vulnerable to several security attacks. The Smart Border Alliance assessed 
several security risks of RFID systems [85]. 


e Counterfeit RFID tag attacks: This type of attack seeks to duplicate legitimate tags through 
cloning or forgery. Since many low-cost RFID systems use unencrypted identifiers, they 
can be stolen by the counterfeit attacks. 

e Replay attacks: An attacker can perform replay attacks especially when a counterfeit RFID 
tag is retrieved. Integrity of the legitimate RFID tag can be compromised by the replay 
attacks. 

e Eavesdropping attacks: Since lightweight RFID tags are not required to communicate with 
RFID readers through encrypted channels, eavesdroppers can intercept the clear texts in 
the vicinity of the RFID systems. 

e Electronic collisions: Electronic collisions may occur when multiple RFID tags and/or 
readers communicate to each other simultaneously. Collisions of RFID tags can result 
in failed transmissions, lost data, or faulty data integrity. 


10.2.2 RFID Privacy Risks 


RFID privacy risks reside in data and location. Data privacy involves user information con- 
tained on the RFID tag and the associated backend databases. Additional data privacy risks 
can arise if the RFID tags can be rewritten. Location privacy involves location information 
of a tag when its tag number is associated with a physical location and time. For example, 
the stored-value card for automated toll collection and public transportation may record the 
location information at the time the device is used. Disclosed location information may be 
further used in data mining or other value-added applications. 
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10.2.3 Security Objectives 


The Smart Border Alliance listed the security objectives of RFID systems as confidentiality, 
integrity, non-repudiation, and availability [85]. 


e Confidentiality. Communication channels between RFID tags and legitimate readers 
should be protected from unauthorized access. All data stored on the RFID tags and 
the backend databases should be protected from unauthorized access. No unauthorized 
RFID readers should access data on the RFID tags. 

e Integrity: User data stored on the RFID tags and the backend databases should be pro- 
tected from unauthorized modification. Communication channels between RFID tags 
and legitimate readers should be protected from unauthorized modification and replay. 
The presence of multiple tags should not compromise system integrity. RFID tags should 
be prohibited from duplication. 

e Non-repudiation: RFID tags and readers should achieve mutual authentication. Mutual 
authentication should also be achieved between RFID readers and any middleware in the 
system. 

e Availability: All RFID system components should be available to users whenever needed. 
Neither the presence of multiple tags nor multiple readers should interrupt system opera- 
tions. Data accessed from the backend systems should be available to multiple authorized 
entities at any time. 


10.3 Mitigation Strategies and Countermeasures for RFID 
Security Risks 


There are several mitigation strategies and countermeasure for RFID security risks, includ- 
ing cryptographic strategies, anti-collision algorithms, as well as other mitigation strategies. 
For clarification, Table 10.2 summarizes the RFID system risks and their impacts and coun- 
termeasures. 


10.3.1 Cryptographic Strategies 


10.3.1.1 Encryption 

RFID signals can be encrypted so that rogue readers cannot intercept the messages. There- 
fore, encryption provides confidentiality to RFID systems. However, power consumption 
and cost limit the encryption capability of RFID tags. 


10.3.1.2 One-Way Hash Locks 

One-way hash locks provide access control based on a hash function [86]. The lock state 
is when an RFID tag stores the hash value of a unique key as its metaID. The key value 
and the metalID are sorted in a backend database. Per request from a reader, the RFID tag 
responds with its metaID. A legitimate reader would verify the metaID by consulting with 
the backend database. Once verified, the RFID tag enters the unlocked state and transmits 
its full functionality to the reader. However, one-way hash locks do not protect the systems 
from eavesdropping once the tag enters the unlocked state. 


10.3 Mitigation Strategies and Countermeasures for RFID Security Risks 


Table 10.2 RFID system risks and their impacts and countermeasures. 


Risks Security objectives Countermeasures 
Counterfeit attacks Confidentiality Encryption 
Integrity EPC tag PIN 


Physical shielding sleeve 
One-way hash locks 
Selective blocker tag 
Replay attacks Integrity EPC tag PIN 
Availability Physical shielding sleeve 
One-way hash locks 
Selective blocker tag 
Eavesdropping Confidentiality Encryption 
EPC tag PIN 
Physical shielding sleeve 
Selective blocker tag 
Electronic collisions Integrity Anti-collision algorithms 
Availability Secure reader protocol 1.0 


10.3.1.3. EPC Tag PINs 

EPC Class 1 tags have personal identification number (PIN)-controlled access originally 
envisioned to allow readers to authenticate to RFID tags. The EPC tag PINs control several 
sensitive functions, including “write,” “sleep,” and “kill.” This one-way authentication is 
extended to authenticate RFID tags to trusted readers [87]. Thus a mutual authentication 
of both RFID tags and readers can be achieved through a resultant challenge and response 
communication line. 


10.3.2 Anti-Collision Algorithms 


Anti-collisions algorithms provide singulation where a reader identifies a particular tag to 
avoid tag collisions. Tree-walking and blocker tag are common singulation methods in RFID 
systems. 


10.3.2.1 Tree-Walking 

RFID systems operating at 915 MHz generally implement the silent binary tree-walking 
algorithm as a singulation technique. As shown in Figure 10.2, the silent tree-walking pro- 
tocol utilizes a binary algorithm that queries tags bit-by-bit. It resembles a depth-first search 
of a binary tree. RFID tags bear UIDs of a fixed bit-length, where each bit is represented as 
a “O” or a “1.” An example is shown in Figure 10.2, the reader broadcasts current prefix. 
Each tag with this bit responds to the broadcast. If no collision, the reader adds one bit to 
current prefix. If responses collide, the reader tries both possibilities of the bit. 


10.3.2.2 The Selective Blocker Tag 
The selective blocker tag is an extension to the silent tree walking singulation protocol [88]. 
It is a form of jamming by broadcasting both “0” and “1” in response to any request from an 
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Figure 10.2 [llustration of tree walking. 


RFID reader. It guarantees collision no matter what tags are present. To talk to an RFID tag, 
a reader must traverse every tree path, which is infeasible with a lengthy ID (e.g. 128 bits). 
To prevent illegitimate blocking, blocker tag shall be made selective for certain ID ranges. 


10.3.5 Other Mitigation Strategies 


10.3.3.1 Physical Shielding Sleeve (The Faraday Cage) 

A Faraday cage is a physical shield made from metal mesh or foil that can protect RFID tags 
from eavesdropping. However, a physical shield must be removed to allow scans from legit- 
imate readers. Without proper compliance, a physical shield may raise risks of availability 
and integrity. The integrity could be threatened since the RFID tag is not recorded by the 
legitimate reader if it is shielded in a Faraday cage. 


10.3.3.2 Secure Reader Protocol 1.0 

The EPCglobal developed Secure Reader Protocol 1.0 that defines communication between 
RFID middleware and RFID readers. As listed in Table 10.3, Secure Reader Protocol 1.0 is 
specified in three distinct layers. The Transport Layer provides operating system network- 
ing facilities. The Messaging Layer is allowed for multiple alternate implementations. One 
particular implementation is messaging/transport binding (MTB). Alternate implementa- 
tions of MTB allow the RFID systems to support Ethernet, IEEE 802 local area network and 
metropolitan area network standards. The security of middleware and reader communica- 
tion mode is indicated by the technology used to implement the MTB. 


Table 10.3. Layers specified in Reader Protocol 1.0. 


Layer Definition 


Reader layer Message content/format 
Security services 

Messaging layer Message framing 
Connection establishment 


Transport layer Operating system networking facilities 
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The limited power supply and low processing power constraints dictate lightweight security 
mechanisms in RFID tag implementations. Several security protocols have been developed 
to protect RFID systems to a reasonable extent. The typical examples are hash locks [86] 
and the family of HB protocols [89-91]. 


10.4.1 Hash Locks 


10.4.1.1 Default Hash Locking 

Hash locking is an access control mechanism based on one-way hash functions [86]. 
Figure 10.3 illustrates an overview of the hash locking protocol. An RFID tag may enter 
the locked state and the unlocked state described as follows: 


e Lock a tag: An RFID tag stores the hash of a random key, i.e. hash(key), as its metaID. In 
practice, a hardware-optimized cryptographic hash would suffice. The metaID generation 
may occur either over the RF communication channel or a physical contact channel for 
added security. The metaID also requires a portion of memory reserved on an RFID tag. 
The backend database stores both the key and metaID. The RFID tag enters the locked 
state. In this state, the RFID tag responds all queries with its metaID only and offers no 
other functionality. 

e Unlock a tag: Once the metaID is queried from an RFID tag, a reader looks up the appro- 
priate key in the backend database and transmits the key to the tag. The tag verifies the key 
by computing the hash value and comparing it to its stored metaID. If the values match, 
the RFID tag unlocks itself and enters the unlocked state, where all functionalities are 
open to nearby readers. 


Analysis of Hash Locks 

Due to the one-way hash function, hash locks prevent unauthorized readers from reading 
tag contents. However, metaID may be captured by an attacker who may spoof that tag and 
launch replay attacks to a legitimate reader. More importantly, the legitimate reader will 
retrieve and transmit the key to the attacker. To counter this matter, a legitimate reader may 
verify the ID and the associated metaID of a tag with the backend database. Hash locks may 
be extended to provide access control for other tag functionality and support multiple users. 


Tag Reader Database 
Request 
metalD 
metalD 
> 
ID, key 
key 
ID 


Figure 10.3 Hash Locking. 
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Tag Reader Database 
Request 
r, h(IDAIIr) 
Get all IDs 
ID1, ID2, ..., IDn 
IDk 


Figure 10.4 Randomized hash locking. 


Since the metaID acts as a UID ofan RFID tag, location privacy risks may arise under hash 
locks even without knowing the real ID. 


10.4.1.2 Randomized Hash Locking 
Randomized hash locking provides a solution to tracking of individuals with a small num- 
ber of RFID tags. The processes of tag locking and unlocking are illustrated in Figure 10.4. 


e Lock a tag: Upon receiving queries from readers, an RFID tag picks a random value r 
and generates a hash value from its ID concatenated with r, i.e. hash(ID||r). Both r and 
hash(ID]||r) are sent as responses to the queries. The RFID tag enters the lock state. 

e Unlock a tag: A legitimate reader identifies an RFID tag by hashing each of its known IDs 
concatenated with r until it finds a match. Due to the complexity of brute-force search, 
the randomized hash locking is only feasible for a small number of RFID tags. 


Analysis of Randomized Hash Locks The randomized hash locks may not be theoretically 
robust since a general one-way function does not guarantee secrecy. Therefore, it is possi- 
ble that the bits of the input could be revealed. To counter this matter, a stronger primitive 
is needed to protect ID bits. In the protocol design, assuming that each RFID tag shares a 
unique secret key k with the reader and supports a pseudo-random function ensemble 


F= nlwew: 


Upon receiving queries from readers, an RFID tag picks a random value r and computes 
ID @f,(r). Both r and ID @ f,(r) are responses to the queries. The reader searches for a 
match through brute-force computation. To avoid storing tag IDs on the backend database, 
RFID tags may append their IDs to the computed hash values, i.e. ID||hUD) @ f,(r)). The 
reader may identify tags by computing f,(r) for all their known keys and XORing it to the 
second part of the response. The value ending in the form (x||h(x)) indicates a match. 


10.4.2 HB Protocol and the Enhancement 


10.4.2.1 HB Protocol 

The HB protocol was proposed by Hopper and Blum [89]. An overview ofa round of HB pro- 
tocol is given in Figure 10.5. A secret x and a parameter 7 are known to both sides. The reader 
picks a random value a and queries the tag. The tag picks a random value v, computes, 
and replies z = (a- x) ® v, where a -x and a @x represent scalar product and exclusive-or 
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Figure 10.5 Illustration of HB protocol. 


(XOR) of k-bit binary vectors a and x, respectively. The random value v is 1 with probability 
n, and 0 otherwise. The HB protocol repeats the round byr times and the tag is authenticated 
if check on the reader’s side fails at most yr times, or a - x ~ Z. 

Analysis of HB Protocol 

The HB protocol is based on the hardness of the learning parity with noise (LPN) problem, 
hence is deemed secure to the extent the related LPN problem is secure. The HB protocol 
uses an inner dot product that is bit-wise AND (&) of two strings and finds the parity of the 
result. Given several values of q and r, the value of k-bit x is determined using linear algebra 
as follows: 


Cal rn 
fo Jy a} 2 |. (10.1) 


Note that the columns of the q matrix must be linearly independent. Adding noise by flip- 
ping the value of r randomly makes the LPN problem NP-hard [92]. Although this pro- 
tocol works well under most circumstances against passive adversaries, it is vulnerable 
to active adversaries. As shown in Figure 10.6, an attacker (e.g. a rogue reader) can transmit 
a non-random value a to the tag. Each time, the tag replies a corresponding z = (a- x) @v. 
For example, if the queries are a = 1000..., and the majority of the responses are 1, then 
the attacker could update the calculation of x as 


1000... 1 
qo x=| 7 |. (10.2) 


After that, the attacker could initiate new queries a = 0100..., and the majority of the 
responses are 0, then the attacker could update the calculation of x as 


1000... 1 


0100... 0 
x= (10.3) 
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Tag Attacker 


Non-random value a 


Generate random value v 


z=(a-x) @v 


Non-random value a 


Generate random value v Retrieve x 


z=(a-x) Ov 


Figure 10.6 Active attacker to HB protocol. 


The attacker could continue the process k times with corresponding a and finally retrieve 
the secret value x. 


10.4.2.2 HB* Protocol 

The HB* protocol modifies the HB protocol by adding a blinding value b so that active 
attacks that threat the HB protocol could be mitigated [90]. In HB* protocol, two secrets 
(x, y) are pre-shared between the tag and the reader. As illustrated in Figure 10.7, in each 
round of the process, the tag sends a binding value b first to the reader. The reader replies 
with a random value a. Up on receiving a, the tag generates a random value v, where v = 1 
with probability 7, and v = 0 otherwise. Next computes 


z= (a'-x)@(b-y) @v. 
The reader checks if (a - x) @ (b- y) = z’. The tag is authenticated if the checks fail at most 


nr times. 


Reader 


je Blinding value b Sse 
s 


Random value a 


, 
: 
: 

/ KK 


/ |Generate random value v ‘ 


2=(a-x) ® (b-y) Ov 


Check if (a-x) ® (b-y) = z 


Repeat r times 


Figure 10.7 [Illustration of HB* protocol. 
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Figure 10.8 The man-in-the-middle attack on HB* protocol to retrieve x. 


Analysis of HBt 

Although the HBt protocol mitigates the active attacks that threat the original HB proto- 
col, it is vulnerable to man-in-the-middle attack. An attacker first manipulates challenges 
sent from a legitimate reader to retrieve the secret x from a legitimate tag. As illustrated 
in Figure 10.8. The attacker intercepts the binding value b from a legitimate tag. It then 
manipulate the challenge reply as 


a’ =aQ@6, 


where 6 is a k-bit constant vector. The tag follows the protocol by generating the random 
value v and replies 


z =(a'-x) @(b-y) @v. 


The attacker is assumed to have the capability to recognize if the authentication succeeds or 
not. In this case, a successful authentication indicates that 6 - x = 0 with a high probability. 
A failed authentication indicates that 6 -x = 1 with a high probability. The constant 6 can 
be manipulated and run k times to reveal all bits of the secret value x. 

Once x is identified, the attacker can impersonate the tag to retrieve the secret y from a 
legitimate reader. As shown in Figure 10.9, the attacker sends a given blinding value b to the 
reader. With the received challenge a, the tag replies a - x instead of computing a z value. 
If the authentication succeeds, the attacker knows that b- y = 0 with high probability. If 
the authentication fails, b -y = 1 with high probability. By repeating the process k times, 
the attacker could retrieve the secret value y. With both secrets (x, y) retrieved, the RFID 
system is under threat. 


10.4.2.3 HB** Protocol 

The HB*t protocol further enhances the HBt protocol to mitigate the threats from 
man-in-the-middle attacks [91]. As illustrated in Figure 10.10, the HB** protocol consists 
of a preliminary stage and a round stage. In this protocol, each tag has a unique secret Z. In 
the preliminary stage, the tag and the reader first exchange blinding values B and A. Based 
on the blinding values, both the tag and the reader derive secret values 


(x,x’,y,y’) = h(Z,A, B), 
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Reader 


= Non-blinding value b mS 


Random value a 


Repeat k times to TR, a oan yeet 
retrieve y 


Figure 10.9 The man-in-the-middle attack on HB* protocol to retrieve y. 


Tag Reader 


Blinding value B 


Random value A 


(x, x’, y, Y) =A(Z, A, B) (x, x’, y, y’) =h(Z, A, B) 


Blinding value b 


Random value a 


Generate random value v 


z=(a-x) ® (b-y) Ov 
z’ = (rot(f(a),p)- x’)p B (rot(f(d),p)- ’) Dv’ 


Check if (a: x) ® (b- y) =z, and 
(rot (f(a) ,p)- x’) ® (rot (f(b),p)-y’) =z’ 


Figure 10.10 |Llustration of HB** protocol. 


where h(-) can ba universal hash function. The secret keys are then used in the round stage 
for authentication. In each round, the tag and the reader first exchange blinding values b 


t~ Preliminary stage 


|_ rounds 


p=1,2,...,7r 


and a. The tag then generates a random value v and computes 


Z=(a-x) @(b-y) Ov, 
z’ = (rot(f(a), p) - x’) ® (rot(f(b), p) -y’), 


where rot(-) is bit rotation, p = 1,2, ..., is the round number, and f(-) is a lightweight func- 
tion chosen to thwart the man-in-the-middle attack. Besides f(-), the hash function h(-) is 
also introduced for the same purpose. Please refer to the original paper for detailed discus- 


sion and example of the functions [91]. 
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10.5 Summary 


The RFID security is introduced in this chapter. With the pervasive application of RFID tags, 
it is imperative to provide security services such as confidentiality, integrity, privacy, and 
availability to RFID systems. However, due to the low cost and physical constraints of RFID 
tags, mitigation mechanisms to security risks are limited to lightweight cryptographic algo- 
rithms, anti-collision algorithms, and possible physical protection such as Faraday cage. 
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Security for Wireless Wide Area Networks 


11 
GSM Security 


Global System for Mobile (GSM) Communications is an international standard for one of 
the second generation (2G) digital cellular communication systems [93]. GSM is developed 
by the European Telecommunications Standards Institute (ETSI) [94]. Since early 1990s, 
GSM has been considered the most widely used cellular mobile phone system in the world. 
Services provided by GSM include voice communications, short messaging service, fax, 
data, etc. GSM provides security features for subscriber authentication, confidentiality on 
the radio links, and user anonymity. In this chapter, each of the security feature and selected 
security mechanisms will be demonstrated. 


11.1 GSM System Architecture 


A typical GSM system architecture is depicted in Figure 11.1. There are three parts in the 
GSM system architecture, mobile station, base station subsystem, and network subsystem. 


11.1.1 Mobile Station 


A Mobile Station (MS) is a subscriber’s Mobile Equipment (ME, e.g. a cell phone) and 
a Subscriber Identity Module (SIM) card. Each mobile equipment has an International 
Mobile Equipment Identity (IMEI) as its unique global identity. For example, you may 
dial “*#06#” to check the IMEI of your cell phone. Most GSM equipment also has their 
IMEIs printed on the back. If a cell phone is lost, one can report the IMEI to the service 
provider for further actions (e.g. lock down the phone). A SIM card is a smart card that 
stores identities, keys, security algorithms, and other information (i.e. list of the last call 
attempts, list of preferred operators, and supplementary service data). The identities stored 
in a SIM card include an International Mobile Subscriber Identity (IMSD and a Temporary 
Mobile Subscriber Identity (TMSI) if generated. Keys stored in a SIM card include a long 
term secret key and a session key. The long term secret key is used for the authentication 
process and the session key generation. The session key is used for data encryption over 
radio links. A SIM card is protected by a PIN code thus it is tamper-resistant. 


Security in Wireless Communication Networks, First Edition. Yi Qian, Feng Ye, and Hsiao-Hwa Chen. 
© 2022 John Wiley & Sons Ltd. Published 2022 by John Wiley & Sons Ltd. 
Companion website: www.wiley.com/go/qian/sec51 


209 


210] 11 GSM Security 


Wireless A 
interface | 
ie T= 
Backbone) (@ | VLR ALR —|L_ 
— i - H wi} it 
network | Sse = ||| 
_ 
a abiS= i GMSC 
(ee) : sc 
ma) 
| hes 
SIM ME BTS EIR AuC 
BSC 
Mobile station | Base station subsystem Network subsystem 


Figure 11.1 A typical GSM system architecture. 


11.1.2 Base Station Subsystem 


The region of a network operator is divided into cells. Each cell is served by one or more 
wireless transceivers for network services such as voice, text, and data. Multiple cells join 
together to cover a wide geographic area so that mobile users can roam freely with con- 
tinuous mobile network services. The cells in the GSM system are supported by the base 
station subsystem. As shown in Figure 11.2, a base station subsystem comprises of several 
Base Transceiver Stations (BTSs) and Base Station Controllers (BSCs). A BSC is connected 


{ Backbone 
network 


Figure 11.2 Connections of BTSs and BSCs. 


11.1 GSM System Architecture 


to one or more BTSs through the backbone networks of the GSM operator. Each BTS forms 
a wireless cell that provides radio coverage for MSs. A BTS also handles the radio chan- 
nels and the radio-link protocol in its cell. The MSs within the cell coverage connect the 
BTS through wireless links. A BSC manages the radio resources for one or more BTSs. 
A BSC also handles channel setup and handover of MSs. BSCs are connected to the Mobile 
Switching Center (MSC) through the backbone network. 


11.1.3 Network Subsystem 


Network subsystem provides the core functions of the GSM architecture, including tele- 
phone switching function, subscriber profiles function, and mobility management. There 
are several databases in a network subsystem for user and system management. They are 
MSC, Gateway MSC (GMSC), Home Location Register (HLR), Visitor Location Register 
(VLR), Equipment Identity Register (EIR), and Authentication Center (AuC). 

The MSC is responsible for call signaling and processing, as well as coordinating the han- 
dover from one BTS to another as a MS roams in the network. The network traffic of the 
MSs in their respective cells is routed through the MSC. The MSC also manages the roles 
of inter-cellular transfer, mobile subscriber visitors, and interconnections with the Public 
Switched Telephone Network (PSTN). Each MSC is connected through a GMSC to the local 
PSTN or Integrated Service Digital network (ISDN) to provide the connectivity between 
the mobile and the fixed telephone users. An MSC may also connect to the Packet Data 
Networks (PDN) to provide mobiles with access to data services. 

The HLR is a database in charge of the management of the operator’s mobile subscribers. 
For a user that is registered with a network operator, the permanent data (i.e. the user’s 
profile, subscriber’s international identity number, and telephone number) and temporary 
data (i.e. the user’s current location) are stored in the HLR. The main information stored in 
the HLR is utilized to route calls to the MSs that are managed by the HLR. When a call is 
placed to a user, the HLR is always queried first about the user’s current location. 

The VLR is responsible for a group of location areas, and stores the data of those users 
who are currently in its area of responsibility. This may include the user data that have 
been transmitted from the HLR to VLR for faster access. But the VLR may also assign and 
store local data such as a temporary identification. Concerning subscriber mobility, the VLR 
comes into play by verifying the characteristics of the subscriber and ensuring the trans- 
fer of location information. The VLR contains the current location of the MS and selected 
administrative information from the HLR. It is necessary for call control and provision of 
the services for each mobile currently located in the zones controlled by the VLR. A VLR is 
connected to one MSC and normally integrated into the MSC’s hardware. 

The AucC is responsible for the authentication process of a subscriber. It holds a copy of 
the 128-bit secret key and the IMSI that are stored in each subscriber’s SIM card. The IMSI is 
retrieved to initiate an authentication process for a subscriber. The secret key is then applied 
to the rest of the authentication process. 

The EIR registers equipment data in the GSM architecture. The GSM distinguishes explic- 
itly between the user and the equipment, and deals with them separately. EIR is a database 
that contains a list of all valid MSs within the GSM network, where each MS is identified 
by its IMEI, which is a kind of serial number. Thus, the IMEI uniquely identifies an MS 
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internationally. The IMEI is allocated by the equipment manufacturer and registered by 
the network operator who stores it in the EIR. The IMS] identifies uniquely each registered 
user and is stored in the SIM. An MS can only be operated if an SIM with a valid IMSI is 
inserted into equipment with a valid IMEI. 


11.2 GSM Network Access Security Features 


The GSM security features include subscriber authentication, confidentiality over radio 
links between MSs and BTSs, and user anonymity. Authentication and confidentiality 
are provided to ensure that only subscribers (paid users) can access the network and 
use the service. Cellular networks are provided by commercial service providers or 
network operators, thus no pay no access (except for emergency calls). Subscriber identity 
confidentiality is provided by GSM security schemes. Anonymity is also provided to 
protect users’ identities by randomly choosing anonymous IDs for users and they always 
change. Moreover, GSM security provides key management and detection of compromised 
equipment. Key management in GSM security is independent of mobile equipment. 
It only involves the SIM card where the keys are stored. A SIM card is tamper-resistant 
and protected by a PIN code. As stated before, a SIM card is removable from the MS that 
contains all data specific to the end user which has to reside in the MS. SIM card can be 
used with different equipment. Data integrity is not one of the security goals. Because 
minor data loss or alteration would not affect a voice call in GSM. Readers should be aware 
that the GSM security specifications were designed by the GSM Consortium in secrecy. The 
details were only distributed on a need-to-know basis to hardware/software manufacturers 
and network operators. The enclosed authentication and enciphering algorithms were 
never exposed to the public. However, some of the algorithms have been revealed already. 


11.2.1 GSM Entity Authentication 


The entity authentication in GSM is to authenticate the subscriber and to defend against 
unauthorized user at the same time. The authentication involves an MS (specifically the 
SIM card that is attached to it), MSC/VLR, HLR, and AuC. In GSM, the MSC/VLR is respon- 
sible for call control and provides the services for each mobile located in the zones con- 
trolled by the MSC/VLR. The MSC/VLR tracks the user and allocates the calls so that the 
network knows where to route the call when a call is placed to a roaming user. When a call 
is placed from a mobile phone, the GSM network’s VLR authenticates the individual sub- 
scriber’s phone. The VLR immediately communicates with the original HLR of the visited 
MS, which in turn retrieves the subscriber’s information from the AuC of the home net- 
work. The tasks of each component in the authentication process are listed in Table 11.1. 
The MSC/VLR has direct connection with the MS, the HLR in the home network of the MS 
is connected to the MSC/VLR over the network. The AuC performs the core functions to 
generate parameters for authentication. 

The GSM authentication is a challenge-response scheme. There is a long term secret key 
(i.e. K,) shared between the subscriber and the home network. In particular, K; is a 128-bit 
key stored in both an SIM card and the AuC of the subscriber’s home network. The key 
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Table 11.1 Components and their tasks in GSM authentication. 


Component Tasks 

Home network AuC Provides parameters for authentication and encryption functions of 
the original subscriber 

Home network HLR Provides MSC/VLR with authentication triplets (RAND, SRES, K.); 


Handles MS location for the original subscriber 


Visited network VLR Stores generated triplets when a subscriber is not in the home network 


K; is not exposed to the visited network. When a subscriber roams to a visited network, 
the secret key should not be known by the service provider of the visited network. There- 
fore, in the authentication scheme, the subscriber identification IMSI is used for retrieving 
the subscriber’s long term secret key (i.e. K;) at the home network to verify the identity of 
the roaming MS. Because the authentication key K; is the most essential component in the 
authentication process, it must not be transmitted over the air without protection to avoid 
possible interception. Therefore, K; is placed only in the tamper-proved SIM card in the MS 
and in the AuC of the home MSC. As illustrated in Figure 11.3, the GSM authentication 
protocol follows the steps described as follows: 


(1) The supplicant MS initiates the process by sending its IMSI to the visitor network. 

(2) The VLR of the visited network forwards the IMSI to the home network of the suppli- 
cant according to the IMSI. 

(3) In the home network, the HLR forwards the IMSI to the AuC. 

(4) The AuC retrieves the corresponding K, of the supplicant IMSI and generates authen- 
tication triplets (RAND, SRES, K.). 

(5) The home network forwards the triplets to the VLR of the current visited network of 
the MS. 

(6) The VLR stores the SRES and the K, and forwards the RAND to the MS. 


Mobile station Visitor Home 
+ SIM card network network 


(RAND, SRES, K.) 


Figure 11.3. GSM authentication protocol. 
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(7) The MS uses the RAND to calculate the SRES’ and the K,. 

(8) The MS sends the SRES’ to the VLR of the visited network. 

(9) The VLR compares the SRES generated by the AuC with the SRES’ generated by the 
MS. If they are equal, the MS is authenticated, and admitted to the visited network. 


The triplets (RAND, SRES, K.) are generated by three algorithms: 


e RAND is generated by a pseudo-random number generator (PRNG); 
e SRES is generated by algorithm A3; 
e K, is generated by algorithm A8. 


When a MS has moved to a new MSC/VLR, the new MSC/VLR will normally establish 
the subscriber’s identity by requesting the IMSI from the previous MSC/VLR. The previous 
VLR transfers, together with the IMSI, any unused triplets to the new VLR. This speeds up 
the authentication procedure, because the new VLR can only send a request for triplets to 
the subscriber’s HLR/AuC after it has learned of the real identity of the subscriber, which 
is through this request to the previous VLR. It is worth noting that the keys (and triplets) 
are kept secret to one operator only. In other words, one operator does not have access to 
subscriber keys of another operator. An MS is not able to roam seamlessly between different 
operators. 


11.2.2 GSM Confidentiality 


Once an authentication process is completed, the session key K, is shared between the MS 
and the visited network. The 64-bit K, is used to encrypt the user data between the MS 
and the network over wireless links. As shown in Figure 11.4, the core function of GSM 
encryption is algorithm A5. A5 is a stream cipher that takes in two inputs: the session key 
K, and the FN. FN is the 22-bit frame number. The output of A5 is a 114-bit keystream. 
The encryption is performed by XORing the user data (114-bit) and the keystream. At the 
receiver side, decryption is performed by generating the same keystream and XORing the 
ciphertext with it. The process is symmetric, thus either the MS or the BTS may initiate the 
transmission. 


Mobile station BTS 


FN (22-bits) K, (64-bits) FN (22-bits) K, (64-bits) 


Keystream | (114-bits) Keystream | (114-bits) 
Ciphertext ! (114-bits) 


Data (114-bits) <——>® @+«—— Data (114-bits) 


Figure 11.4 GSM encryption scheme. 
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11.2.3 GSM Anonymity 


Anonymity is provided in GSM security by hiding the IMSI of each user. In GSM, each 
IMSI is associated with an user’s identity. However, the IMSI should be used as seldom as 
possible to protect the user’s identity from eavesdroppers. In GSM, anonymity is provided 
by assigning TMSI as a temporary identification number. The TMSI is used between an 
MS and the network. By using the TMSI, it prohibits tracing of the identity of a mobile 
subscriber by interception of the traffic on the radio link. TMSI is a 4-byte random number. 
The value cannot be all 1’s because the SIM card uses this value to indicate that no valid 
TMSI is available. The network may assign a TMSI to a subscriber in several cases: 


e Case 1: A TMSI is first assigned when a subscriber sends its IMSI to the AuC during 
authentication process. The TMSI is assigned for the duration that the subscriber is in 
the service area of the associated MSC. When a cell phone powers off, its TMSI is stored 
on SIM card to be reused. 

e Case 2: The network operator can update the TMSI at any time during normal operation 
of a subscriber. 

e Case 3: Anew TMSI will be assigned every time a location is updated to a new MSC for 
the subscriber. 

e Case 4: In a visited network, the VLR performs assignment, administration, and update 
of the TMSI. 


11.2.4 Detection of Stolen/Compromised Equipment in GSM 


When mobile equipment is lost or stolen, its IMEI can be used for detection of stolen or 
compromised equipment. The owner can report the loss of a cell phone to the network 
operator, who stores IMEI in the EIR. If required by law in the operator’s jurisdiction, the 
operator can add the IMEI to the blacklist of stolen devices. The operator can optionally 
communicate the blacklist to a shared central EIR. Although a stolen device is still hard 
to trace, the network operators that share the central EIR can ban the stolen device from 
getting service. The IMEI number is not supposed to change easily. However, this is not 
the case. It is possible to clone an IMEI number to another device. Moreover, IMEI is an 
unauthenticated mobile identifier as opposed to IMSI. Therefore, a reported stolen IMEI 
may have been changed on the stolen device. As a result, it is unclear whether barring of 
IMEI has any positive effect for either the network operator or the subscriber. 


11.3 GSM Security Algorithms 


Algorithms A3, A8, and A5 are major algorithms applied in GSM security. A3 is the MS 
authentication algorithm. A8 is the session key (i.e. K.) generation algorithm. And A5 is 
the algorithm for data encryption. Both A3 and A8 are implemented through function 
COMP128. 
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11.3.1 Algorithm A3 


Algorithm A3 is applied to generate a signed response for MS authentication. As shown in 
Figure 11.5, A3 takes the inputs a 128-bit random number RAND and the 128-bit long term 
secret key K,, then outputs a 32-bit response SRES. 


11.3.2 Algorithm A8 


Algorithm A8 is applied to generate the session key for each subscriber. As shown in 
Figure 11.6, A8 takes inputs a 128-bit random number RAND and the 128-bit long term 
secret key K,, then outputs a 64-bit session key K,. One session key is used until the MSC 
decides to authenticate the MS again, e.g. after a few days. 


11.3.3 Algorithm COMP128 


Both algorithms A3 and A8 are independent of hardware manufacturers and network oper- 
ators. Instead, they are implemented on each SIM card and each AuC. In most GSM net- 
works, A3 and A8 are derived from one algorithm COMP128 [95]. COMP128 is a keyed hash 
function, as shown in Figure 11.7. COMP128 takes inputs a 128-bit random number RAND 
and the 128-bit long term secret key K;,, then outputs an 128 bit string, which includes the 
32-bit SRES and the 64-bit K,. 

COMP128 was a completely private set of algorithms originally. In 1997, a leaked doc- 
ument led to a successful reverse engineering in the algorithm. There are four versions 
of COMP128 algorithm as listed in Table 11.2. The full publication of COMP128-1 was 
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Table 11.2 Four versions of COMP128 algorithm. 


Version Description 

COMP128-1 The original algorithm with a 56-bit K, generated 

COMP128-2 A stronger algorithm, however, K, is still 56 bits only 

COMP128-3 The same algorithm as COMP128-2 with a 64-bit K, generated 
COMP128-4 Designed based on the 3GPP algorithm Milenage that uses AES [96] 


Algorithm 11.1 COMP128-1 
Input: RAND and K;; 
Output: SREC and K;,; 
Initialize x[32]; // 32 bytes 
x[16 to 31] — RAND; 
for j :=0Oto7do 
x[0 to 15] — K;; 
call Compression; // 5 rounds 
call FormBitsFromBytes 
if j <7 then 
call Permute 
end if 
end for 
SRES < bit[0 to 31]; 
K, <= bit[74 to 127] ||0000000000,; 
return 


published in 1998 [95]. The sketch of COMP128-1 algorithm is shown in Algorithm 11.1. 
COMP128-1 performs on a 32-byte array, i.e. x[32]. The initialization process sets x[16 to 31] 
to be RAND. The round function of COMP 128-1 consists of three algorithms: Compression, 
FormBitsFromBytes, and Permute. The first 16 bytes of the array, i.e. x[0 to 15] is set to be 
the key K, during each round function. COMP128-1 runs a total of eight times of its round 
function. The final output of COMP128-1 is a 128-bit string in which the first 32 bits for 
SRES and the last 54 bits with zero paddings to 64 bits for K.. COMP128-1 has been discon- 
tinued in 2002 due to its weakness. The secret key of K, can be recovered if an attacker has 
physical access to a SIM. 

The core function of COMP128-1 is the Compression function (also known as the 
Butterfly Structure) [97]. The butterfly structure has five levels of compression, as shown 
in Figure 11.8. Details of the compression function are described in Algorithm 11.2. Two 
input bytes are used to determine the index of the look up table at each level. Two bytes of 
the array x[32] are replaced by the two values from the corresponding look-up table in each 
compression. There are five look-up tables used for compression. The complete settings 
of the five tables are shown in Table 11.3. Each compression function applies the look-up 
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Figure 11.8 Illustration of COMP128-1 compression function. 


Algorithm 11.2 COMP128-1 Compression 
Input: x[32]; 
Output: Compressed x[32]; 
for j :=0to4do 
for k :=0to2/-1do 
for 1 :=0to2*/ —1do 
me1l+kx27; 
nemt2; 
y < (x[m] + 2x x[n]) mod 297; 
Z< (2xXx[m] + x[n]) mod 2°97; 
x[m] <— T,[y]; 
x[n] — T\[z]; 
end for 
end for 
end for 


table T, at level i. Table T, contains 2°“ values, where each value is (8 — i)-bit long. For 
example, the look-up table at level 0 is T, which has 512 (i.e. 2°) values, where each value 
is 8 bits. Similarly, the look-up table at level 4 is T,, which has 32 values, where each value 
is 4 bits. All look-up tables are listed in Table. 11.4. 

Function FormBitsFromBytes is to convert the result from bytes to bits, as detailed in 
Algorithm 11.3, where > is the bitwise right shift, & is AND. Function Permute is to shuf- 
fle the array x[32], as detailed in Algorithm 11.4, where < is the bitwise left shift. The two 
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Table 11.3 Settings of look-up table 7;. 


Level Table name Number of entries Value 


0 a, 512 8-bit 
1 a 256 7-bit 
y) 7, 128 6-bit 
3 t 64 5-bit 
4 ie 32 4-bit 


Table 11.4 COMP128-1 look-up tables. 
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functions generate a new 128-bit array bit[128] that is in the form of the final output. At 
last, COMP128-1 outputs: 


SRES : bit[O to 31]; 
K, : bit[74 to 127]||0000000000,. 


Cc 


Algorithm 11.3 COMP128-1 FormBitsFromBytes 
Input: x[32]; 
Output: Dit[128]; // 128 bits 
for j := 0 to 31do 
for k :=0to3do 
bit[4j + k] — [@[f] > (3 —k) & 1); 
end for 
end for 
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Algorithm 11.4 COMP128-1 Permute 
Input: bit[128], x[32]; 
Output: Permuted x[32]; 
forj :=0to15do 
fork :=0to7do 
x[j + 16] < [bit((17(8j + k)) mod 128] «(7 —k)]; 
end for 
end for 


11.3.4 Algorithm A5 


The wireless-link communication confidentiality is provided by algorithm A5 in the GSM 
cellular telephone standard. A5 has seven versions, all of which were initially kept secret. 
Because of leaks and reverse engineering, some of the A5 versions became public knowl- 
edge. Since then, a number of serious weaknesses of A5 have been identified. Versions 1 
and 2 will be discussed as they are the most deployed A5 algorithms. 


11.3.4.1 A5/1 
The A5/1 algorithm (interchangeable with A5/1 hereafter for simplicity) was developed in 
1987 to be used in Europe and the United States. The general design was leaked in 1994 
and the algorithm was entirely reverse engineered by Marc Briceno in 1999. By 2011, con- 
fidentiality of 4 billion GSM customers was protected by A5/1. A5/1 is a stream cipher that 
takes in two inputs, frame number FN and session key K,. The output of A5/1 is a 114-bit 
keystream. The encryption is by XORing the keystream with the message data. 

The core of A5/1 consists of three Linear Feedback Shift Registers (LFSRs). The LFSRs 
are designed to produce pseudo-random bit sequence. Figure 11.9 illustrates a typical LFSR. 
As it shows, an LFSR consists of two parts: 


e Shift register: a bit sequence feedback function; 
e Tap sequence: bits that are input to the feedback function. 


Shift register stores the current state of an LFSR. An n-bit LFSR has a total number of 
2” — 1 internal states. The length of the output sequence before an LFSR repeating itself is 
defined as an LFSR period. The maximal period of an n-bit LFSR is also 2” — 1. The actual 
period is determined by the tap sequence. The polynomial formed by a tap sequence plus 1 
must be a primitive polynomial (modulo 2). 

The three LSFRs of A5/1 have different lengths. The combined length of the three LSFRs 
is 64bits. As listed in Table 11.5, the three LSFRs are 19, 22, and 23 bits long with sparse 
feedback polynomials. An overview of the LSFR construction used in A5/1 is shown in 
Figure 11.10. All three registers are clocked, based on their middle bits (i.e. R,[8], R,[10], 
and R,[10]). A register is clocked means that the tapped bits are XORed for a bit that 
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Table 11.5 Specifications of the three LSFRs in A5/1. 


LFSR Length in bits Characteristic polynomial Clocking bit Tapped bits 


R, 19 x18 4x17 4x6 4x3 41 8 13, 16, 17, 18 

R, 22 x72 4° 41 10 20, 21 

R, 23 x72 $71 + x70 4.7 +1 10 7, 20, 21, 22 
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Figure 11.10 A5/1 LSFR construction. 


is the input to the feedback. For example, if R, is clocked, then tapped bits are XORed 
as R,[18] ® R,[17] @ R,[16] @ R,[13], the result value is input to the position of R,[0] 
and R, left shifts by 1 bit. A register is clocked if its middle bit agrees with the majority 
value of the three middle bits. The output of the three registers are XORed together, i.e. 
R,[18] @ R,[21] © R,[22]. The XORed result represents one bit for the keystream. 

The clocking mechanism guarantees that at least two registers (i.e. the majority) are 
clocked after each round. To better understand the clocking mechanism in A5/1, three 
examples are shown in Figure 11.11. In the first example, the middle bits of the three reg- 
isters are 1, 1, and 1, thus all three registers are clocked. In the second example, the middle 
bits are 0, 0, and 1, and then the first and the second registers are clocked. In the third 
example, the middle bits are 0, 0, and 0, then all three registers are clocked. 

Example: producing three bits from the LSFRs. The current status of each LSFR 
and the detailed operating process are shown in Figure 11.12. The first bit output of the 
keystream is computed as: 


R, [18] @ R,[21] @ R3[22]}=1@1@1=1. 


The middle bits are 1, 0, 1. By the majority rule, the first and the third registers are 
clocked. For the first register, tap sequence determines the bit that is input to the feedback 
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Figure 11.11 Examples of the clocking mechanism in A5/1. 
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Figure 11.12 An example of 3-bit output from A5/1 LSFR. 


as R,[18] ® R,[17] 6 R, [16] @ R, [13] =1G@0@1G1=1. The second register is not 
clocked. For the third register, the input to the feedback is R,[22] © R3[21] @ R,[20] ® 
R,[7] = 1®0@1©60 =0. Thus, the second bit of the keystream is: 


R,[18] @ R,[21] @ R3[22] =0@1@0=1. 


The middle bits are 0, 0, 1, thus the first and the second registers are clocked. The inputs to 
the feedback are 0 and 1, respectively. The third bit of the keystream is: 


R, [18] @ R,[21] @ R3[22] = 1 @0@0=1. 


The three output bits are 111,. This process continues to generate more outputs for 
keystreams. 

Detailed A5/1 algorithm is shown in Algorithm 11.5. The three registers are initialized 
with the session key K, and the frame number FN. The 64-bit K, is first loaded into the 
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register bit by bit. The Least Significant Bit (LSB) of the key is XORed into each of the reg- 
isters. The registers are then all clocked. Note that the majority clocking mechanisms is 
disabled in this round. All 64 bits of the key are then loaded into the registers in the same 
way. The 22-bit frame number is also loaded into the register in the same way except that 
the majority clocking mechanisms applies from now on. After the registers have been ini- 
tialized with the K, and the current FN, they start the operation and clock one hundred 
times. The generated keystream bits are discarded. This is done in order to mix the frame 
number and keying material together. At this step, a total of 228 bits have been generated. 


Algorithm 11.5 A5/1 
Input: FN and K,; 
Output: Keystream; 
Set all LFSRs to 0 (i.e. R, = R, = R, = 0); 
for i := 0 to 63 do 
R,[0] < R,[0] @ K,lil; 
R,[0] — R,[0] ® K,lil; 
R3[0] < R,[0] ® K,lil; 
Clock all three registers (i.e. for j > 0 Rj] <— R,Lj — 1], and R,[0] is set to the result of 
the primitive polynomial on the previous value of R,); 
end for 
Set all LFSRs to 0 (i.e. R, = R, = R; = 0); 
for i := 0 to21do 
R,[0] — R,[0] ® FN{i); 
R,[0] — R,[0] ® FN(i); 
R3[0] — R,[0] ® FN(i); 
Clock all three registers 
end for 
for i := 0 to 99 do 
clock the cipher by its regular majority clocking mechanism, and discard the output; 
end for 


The first 114 bits are used as the keystream to encrypt the message data from MS to BTS 
(i.e. uplink transmission), and the rest 114bits are used as the keystream to encrypt the 
message data from BTS to MS (i.e. downlink transmission). For the next message data, the 
A5/1 algorithm will be initialized again with the same K, and the next FN. 


11.3.4.2 Algorithm A5/2 
A5/2 algorithm was used for export instead of the relatively stronger (but still weak) A5/1. 
This algorithm is simpler than A5/1 and was developed by ETSI for use in Eastern Euro- 
pean states that had restrictions to certain Western technologies. Similar to A5/1, A5/2 is 
also based on a combination of LFSRs. There are four LFSRs (i.e. R,, R,, R,, and R,) with 
irregular clocking and a non-linear combiner in A5/2. The length, characteristic polyno- 
mial, clocking bit, and tapped bits of each register are listed in Table 11.6. 

The internal structure of A5/2 is shown in Figure 11.13. The clocking mechanism of A5/2 
is different from A5/1. In A5/2, register R, controls the clocking of R,, R,, and R,. The 
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Table 11.6 Specifications of the four LSFRs in A5/2. 


LFSR Length in bits Characteristic polynomial Clocking bit Tapped bits 


R, 19 xP 4298 +27 4x41 8 1, 2, 5,19 
R, 22 xr +x+1 10 1, 22 
R, 23 34x15 +397? +241 10 1, 2, 15, 23 
R, 17 x7 42941 10 5,17 
ba] bs] be] bt | Bo #K — 
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Figure 11.13 A5/2 LSFR construction. 


clocking unit performs a majority function on the bits R,[3], R,[7], and R,[10]. If R,[10] 
agrees with the majority, then R, is clocked. If R,[3] agrees with the majority, then R, is 
clocked. If R,[7] agrees with the majority, then R, is clocked. After R,, R,, and R, finish the 
clocking process, R, is clocked. 

Once the clocking mechanism is performed, the output bit is computed as follows. 
In each register, the output is determined by the majority three inputs and the leftmost bit. 
For R,, the majority function Maj(-) takes in R,[15], R,[14] @ 1, and R,[12]. The majority 
function is quadratic in its input, such that 


Maj(a, b,c) = (an b) @ (bn c) @ (cna). 


where /n is the AND operation. The output of the majority function is XORed with R,[18]. 
For R,, the majority function Maj (-) takes in R,[16] @ 1, R,[13], and R,[9]. The output of the 
majority function is XORed with R,[21]. For R;, the majority function Maj(-) takes in R,[18], 
R,[16], and R,[13] © 1. The output of the majority function is XORed with R,[22]. The final 
output for the keystream is the result of XORing all three outputs from R,, R,, and R,. 

The internal state initialization process of A5/2 is shown in Algorithm 11.6. The four 
registers are initialized with the K, and FN. The LSB of K, is XORed into each of the registers. 


11.4 Attacks Against GSM Security 


Algorithm 11.6 A5/2 internal state initialization 
Input: FN and K,; 
Output: Keystream; 
Set all LFSRs to 0 (i.e. R; = R, = R; = Ry = 0); 
for i := 0 to 63 do 
R,[0] — R,[0] ® K,lil; 
R,[0] < R,[0] ® K,lil; 
R3[0] < R,[0] ® K,lil; 
R,[0] — R,[0] ® K,lil; 
end for 
for i := 0 to 21 do 
R,[0] — R,[0] ® FN]; 
R,[0] — R,[0] ® FN(i); 
R3[0] < R,[0] ® FN{i); 
R,[0] — R,[0] ® FN(i); 
end for 


The FN is loaded into the registers in the same way. Once the initialization is finished, the 
keystream is generated as follows: 


(1) Force the bits R,[15], R,[16], R;[18], and R,[10] to be 1; 
(2) Run A5/2 for 99 clocks and ignore the output; 
(3) Run A5/2 for 228 clocks and use the output as key-stream. 


Note that A5/2 discards 99 bits of output while A5/1 discards 100 bits of output. The 228-bit 
output is separated in two halves. The first 114 bits are used as the keystream to encrypt 
the message data from the BTS to the MS (i.e. downlink transmission). The rest 114 bits 
are used as the keystream to encrypt the message data from the MS to the BTS (i.e. uplink 
transmission). 


11.4 Attacks Against GSM Security 


Despites its popularity, the GSM system has quite a few threats since the security algorithms 
are vulnerable to attacks. 


11.4.1 Attacks Against GSM Authenticity 


The authenticity of the GSM system is based on the secret key K;. In fact, if K, is com- 
promised, the whole account of a user is compromised because both confidentiality and 
anonymity are provided based on K,. If an attacker is able to retrieve the K,, then the attacker 
can eavesdrop the subscriber’s calls. The attacker may also place calls that are billed to the 
original subscriber’s account. If the legitimate user is always registered to the network oper- 
ator, then the attacker may not be able to steal the service because the GSM system has trip 
wires for two identical subscribers. The mechanism works as follows: if two MSs with the 
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same ID (i.e. the same IMSI/TMSI) are powered on at the same time, the network operator 
notices this and makes a location query for the MSs. Once the operator confirms that the 
“same” MS is in two different locations at the same time, it will close the account to prevent 
the attacker and the legitimate subscriber from placing calls. However, this does not protect 
the subscriber from being eavesdropped by the attacker. 

The secret key K; is implemented in an SIM card. With physical access to an SIM card, 
K, may be retrieved due to the flaw in COMP128-1 algorithm that was discovered by the 
Smartcard Developer Association and the ISAAC security research group [98]. The attack 
is based on a chosen-challenge attack. The COMP128-1 was broken in such a way that it 
reveals the information about the K,; when some RANDs are given to the algorithm A8. 
The attack was performed with physical access to the SIM card through a smartcard reader 
connected to a computer; however, it is applicable to launch the same attack over-the-air 
as well. Alternatively, it is also possible to retrieve the K; from the AuC by lunching the 
same attack. Because the AuC answers each authentication request and return valid triplets. 
The attack procedure is similar to the procedure used in the MS to access the SIM card. 
Compared with the MS, the AuC computes much faster. The security of the AuC plays a 
critical role in whether this attack is possible or not. 


11.4.1.1 Attacks Against GSM Confidentiality 

The session key K, and the encryption algorithm provide GSM confidentiality. If K, is com- 
promised, all traffic encrypted with this key is compromised to attackers. Fortunately, a 
real-time brute-force attack against the GSM security system is still infeasible regardless 
of the small key space. The time complexity of the attack is at least O(2**), which makes it 
infeasible in eavesdropping on GSM calls in real time. However, it might be possible to have 
other ways of attacking the system by recording the frames between the MS and the BTS 
and launch the attack afterwards. 

One possible attack is to retrieve K, from its generating function. The COMP128-1 was 
broken by Marc Briceno et al. on 13 April 1998 [95]. The session key K, was successfully 
retrieved because of the weakness in the compression function of COMP128-1. With the 
K,, the attacker can clone an SIM card and impersonate the legitimate subscriber until the 
K, expires. As a result, new versions (COMP128-2, COMP128-3, and COMP128-4) were 
developed. COMP128-1 was discontinued in 2002. Another possible attack to retrieve K, 
is from algorithm A5. Despite of multiple versions, the original A5 (i.e. A5/1) is consider- 
ably stronger than most of the other A5 algorithms. Ironically, the other versions of A5 
were developed because A5/1 was too strong to export GSM service to some countries. 
However, even A5/1 was not strong enough to protect confidentiality of a subscriber. Due to 
the small size of K., even brute-force attack only requires a time complexity of 2** at most. 
A divide-and-conquer attack can further reduce the complexity from 2™ to 2*°. 

The divide-and-conquer attack is to compute the third register by guessing the content 
of the first and the second registers. If the clocking of the first and the second registers is 
independent on the third register, then the time complexity would be O(2*°). However, due 
to the clocking bit of the third register, the attacker must guess half of the bits. This would 
increase the time complexity from O(2*°) to O(2*°). The attacker needs to determine the ini- 
tial states of the registers from a known keystream sequence. To perform the attack, a total 
of 64 successive keystream bits needs to be retrieved if the attacker knows some ciphertext 
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and the corresponding plaintext. This depends highly on the format of data frames. Each 
data frame contains a lot of constant information, e.g. frame headers. Although the 64 bits 
may not be known always, 32-48 bits are usually known. 

A5/2 algorithm was extremely weak and could be broken by low end equipment in real 
time in the same month it was published in 1999 [99]. Since 1 July 2006, the GSM Asso- 
ciation (GSMA) mandated that GSM mobile phones will not support the A5/2 algorithm. 
In July 2007, the 3GPP approved a change request to prohibit the implementation of A5/2 
algorithm in any new cell phones. A5/1 is mandatory by the 3GPP association. If a GSM 
network does not support A5/1 or any other A5 algorithms implemented by the phone, an 
unencrypted connection can still be established. 


11.4.2 Other Attacks against GSM Security 


Besides attacks on the security algorithms, possible attacks may also be launched on signal- 
ing network, such as exploiting the unencrypted messages, false base station attacks, and 
denial of service attacks. As stated earlier, GSM security is only provided between the MS 
and the BTS. In the network subsystem, the data traffic is transmitted in plaintext without 
being encrypted. If an attacker gains direct access to the operator’s signaling network, it 
would be able to eavesdrop everything that is being transmitted, including the triplets for 
authentication and the actual phone calls. It may not be easy to access the signaling net- 
work that is part of the wired backbone network. However, part of the signaling network 
may be connected to the BSC through a microwave or even a satellite link. The wireless links 
would be relatively easy to access with certain equipment. Another possible attack against 
GSM is false base station attack. This attack is possible in GSM system due to the one-way 
authentication. During the authentication process, only MS gets authenticated, leaving BTS 
a trusted party. IMSI catcher is a well-known device that exploits this security hole. In par- 
ticular, the IMSI catcher launches man-in-the-middle attack: the attacker masquerades as 
a BTS to the MSs, but acts as an MS to the GSM network. The IMSI catcher thus can induce 
the MS to use no encryption by choosing A5/0 for no confidentiality, or to use A5/2 that can 
be easily broken. Denial of Service (DoS) attack is also possible to GSM network. Instead of 
getting “free” service or eavesdropping, an attacker that launches DoS attack simply wants 
to block the subscriber from getting network service. A typical DoS attack is by jamming 
the signal to prevent the MS from communications. For example, an attacker can launch a 
DoS attack by calling the subscriber again and again. 


11.5 Possible GSM Security Improvements 


Improvements can be made in several ways to enhance GSM security. 


11.5.1 Improvement over Authenticity and Anonymity 


GSM authenticity and anonymity depend on the secret key K;. Existing GSM security is 
weak that a subscriber’s K, can be retrieved by attackers. Leakage of K, causes the possibil- 
ity of cloning an SIM card. To prevent an SIM card being cloned, another cryptographically 
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secure algorithm is needed to replace A3 (or COMP128). It will require the network opera- 
tors issuing new SIM card to all subscribers and update corresponding HLR software. This 
improvement is relatively easy for network operators since no third-party hardware or soft- 
ware manufacturers for the GSM Consortium will be involved in the process. However, the 
large population of GSM subscribers can cause difficulty in the upgrade. 


11.5.2 Improvement over Confidentiality 


While a real-time break of session key K, is not possible, off-line approach is quick enough to 
jeopardize the subscribers’ confidentiality. To enhance the confidentiality of GSM security, a 
larger key size and a better security algorithm (e.g. a new A5 implementation with stronger 
encryption) can be deployed so that a brute-force attack is infeasible in any case. It could be 
complicated to implement this improvement. First, the cooperation of the GSM Consortium 
will be needed. Second, third-party hardware and software manufacturers will be involved 
to upgrade their products that will comprise with the new encryption algorithm. 


11.5.3 Improvement of the Signaling Network 


Besides securing the wireless links between the MSs and the BTSs, it is critical to secure the 
signaling network in the network subsystem. To do so, it is necessary to encrypt the traffic on 
the backbone network. This would prevent the attacker from wiretapping on the signaling 
network. To implement the improvement, both hardware and software need upgrade from 
their manufacturers. However, the GSM Consortium may not be involved in the process. 


11.6 Summary 


Security of the GSM system is introduced in this chapter. GSM security provides authenti- 
cation, confidentiality, and anonymity to protect the network operator and the subscribers. 
However, GSM security is vulnerable due to its short keys, weak algorithms, and unen- 
crypted backbone network. Improvement should be made to enhance the GSM security. 
Unfortunately, very few improvements have been made even at the final stage of the GSM 
system before phasing out the GSM system recently. Security enhancement can be seen in 
the new generation cellular systems. 


12 
UMTS Security 


In this chapter, security of the Universal Mobile Telecommunications System (UMTS) is 
introduced. UMTS is a third generation (3G) mobile cellular network system developed 
and maintained by the third Generation Partnership Project (3GPP). UMTS is a component 
of the International Telecommunications Union IMT-2000 standard set [100]. The architec- 
ture of UMTS is extended from the GSM standard. UMTS has made a great improvement 
to the GSM system in terms of security [101]. 


12.1 UMTS System Architecture 


The UMTS system architecture is extended from the GSM system, as illustrated in 
Figure 12.1. It involves user equipment (UE), radio access network (RAN), and core 
network (CN). The CN of UMTS is extended from the GSM standard, which consists of 
visitor network and home network. The UE has a radio connection to the RAN. The RAN 
is connected to the CN through the operator’s backbone network. According to the 3GPP 
Release 1999 [102], the components of the UMTS architecture have been named differently 
from that of the GSM system. Figure 12.2 depicts the most important elements in the 3GPP 
Release 1999. As it shows, the 3GPP UMTS architecture consists of three main parts: the 
UE, the UMTS Terrestrial Radio Access Network (UTRAN), and the CN. 


12.1.1 User Equipment 


A UE is a communication terminal that has a radio connection to the RAN. Each UE con- 
sists of two parts, the mobile equipment (ME) and the Universal Subscriber Identity Module 
(USIM). The ME is typically the cell phone that provides communication functionality with 
the network. The USIM is a smart card that is placed inside the ME. It contains all the 
operator-dependent data, including the identity (IMSI/TMSD), the long term shared key K,, 
and other information of the subscriber. These parameters are stored in a tamper-resistant 
environment (i.e. in the Universal Integrated Circuit Card-UICC). The USIM card has the 
same appearance as the SIM card in the GSM system. However, the USIM card brings 
mutual authentication, which is not supported in the GSM system. 
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Figure 12.2 3GPP architecture—UMTS. 


12.1.2 UTRAN 


The RAN in the 3GPP system is the UTRAN, which is based on the wideband code division 
multiple access (W-CDMA) technology. UTRAN contains two types of elements: the base 
station and the radio network controller (RNC). The base station is the termination point 
of the radio interface on the network side. It is also named as NodeB in the 3GPP architec- 
ture. The base station is connected to the RNC. The RNC is the controlling unit of UTRAN. 
Different from the GSM system, a UE may be connected to the network via several RNCs 
simultaneously, thus better quality for the connection can be guaranteed. The RNC that 
maintains the connection to the CN for a UE is called the Serving RNC (SRNC), the other 
RNCs that connect to the UE are called the Drifting RNCs (DRNC). 


12.2 UMTS Security Features 


12.1.3 Core Network 


The CN consists of several elements, including the Mobile Switching Controller (MSC), the 
Visiting Location Register (VLR), The Gateway MSC (GMSC), the Home Location Register 
(HLR), the 3G Serving GPRS Support Node (SGSN), and the Gateway GPRS Support Node 
(GGSN). GPRS is General Packet Radio Service that provides packet oriented mobile data 
service in between GSM and UMTS systems. Two domains are served in the CN, including 
the circuit switched domain and the packet switched domain. 


e In the circuit switched domain, the MSC and the VLR are part of the serving network. 
The two elements are typically integrated together. The VLR is a database that contains 
the users currently in the location area controlled by the MSC. The GMSC is respon- 
sible for connecting the mobile network to the Public Switched Telephone Network 
(PSTN). 

e In the packet switched domain, the SGSN serves the function of MSC/VLR for the packet 
oriented mobile data service. The GGSN is responsible for connecting the mobile network 
to the IP network (e.g. the Internet). 


The HLR and the Authentication Center (AuC) serve both domains in the CN, and they 
are part of the home network. The two elements are typically integrated together. The AuC 
has a database that holds the permanent security data related to subscribers (i.e. the iden- 
tities and the secret keys) that can be used for security features in the serving network and 
in the access network. 


12.2 UMTS Security Features 


3GPP TS 33.102 is a 3GPP technical specification that defines the security architecture 
of the UMTS [103]. The security features defined in this technical specification are shown 
in Figure 12.3. According to the specification, there are five groups of security features in the 
UMTS, as stated in the following: 
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Figure 12.5 Security features defined by 3GPP TS 33.102. 
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e Network access security (I): the set of security features that provide users with secure access 
to 3G services, in particular protect against attacks on the radio access link; 

e Network domain security (II): the set of security features that enable nodes in the provider 
domain to securely exchange signaling data, and protect against attacks on the backbone 
network; 

e User domain security (IID): the set of security features that secure access to mobile stations; 

e Application domain security (IV): the set of security features that enable applications 
in the user and in the provider domain to securely exchange messages; 

e Visibility and reconfigurability of security (V): the set of features that enables the user 
to inform himself whether a security feature is in operation or not and whether the use 
and provision of services should depend on the security feature. 


12.3 UMTS Network Access Security 


The radio access technology of the UMTS is W-CDMA, which is changed from Time Divi- 
sion Multiple Access (TDMA). Nonetheless, requirements for access security do not change 
in the UMTS. Entity authentication is one of the security features that are provided in 
the UMTS. The identity of a subscriber must be authenticated before getting service. The 
authentication protects end users from fraudulent calls and packet data services that are 
made by others. The confidentiality is provided in the UMTS RAN to protect the trans- 
mission of user data. Confidentiality in the UMTS protects end users from data leakage to 
eavesdroppers. Moreover, confidentiality also protects other privacy of a user, for example, 
the location privacy. Although it may not be critical ifa user is traceable, however, persistent 
tracking is certainly irritating thus should be avoided. The integrity of radio network sig- 
naling is also provided in the UMTS. Manipulation of all control messages can be avoided, 
thus enabling the network operator to control the network functions effectively. Besides, 
integrity also protects all data messages from being manipulated. Although some data loss 
does not affect a phone call too much, providing integrity certainly enhances the packet 
data service as well as the control efficiency from the network operator. In the rest of this 
section, the security features and ciphers in the first release of the 3GPP system specifica- 
tions (i.e. Release 1999) are introduced. For the ease of illustration, the parameters used in 
the UMTS access control security are listed in Table 12.1. 


12.3.1 Authentication and Key Agreement 


12.3.1.1 The AKA Mechanism 
The Authentication and Key Agreement (AKA) mechanism of the UMTS is extended from 
the GSM system. It is also a challenge-and-response authentication process. Different from 
the GSM system, the UMTS achieves mutual authentication, where the subscriber’s identity 
is verified by the serving network, and the UE checks that the serving network is connected 
to the legitimate network. The mutual authentication protocol protects the UMTS from 
false base station attack. 

The UTMS AKA mechanism is shown in Figure 12.4. The AKA mechanism has three 
major components: a USIM, the serving network, and the home network. A USIM is the 
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Table 12.1 Parameters used in UMTS access control security. 


SQN Sequence number 
RAND Random number 
AMF Authentication and key management field 
K Shared key 
MAC Message authentication code 
XMAC Expected MAC 
CK Cipher key 
IK Integrity key 
AK Anonymity key 
XRES Expected response 
RES Response 
AUT Authentication token 
AV Authentication vector 
USIM VLR/SGSN HLR/AuC 
Authentication data request, /MS/ | 
AMF 
SQN— 
' RAND 
1 ' ¥ Vv 
kK f1-15 
3 ! ¥ 
XRES, CK, IK, AK, MAC 
RAND, XRES, CK, IK, AUTN 
RAND, AUTN 
i 1 1 
Decrypt SQN using 5; 
Verify MAC using f1; 
Check SQN freshness. 
RAND — 
v } f 
kK—>| f1-#4 
’ 3 | 
RES, CK, IK 
RES, CK, IK > 
RES = XRES? | 


Figure 12.4 UMTS authentication. 
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subscriber to be connected to the serving network (i.e. the VLR/SGSN) that provides service. 
Since a USIM alone does not work properly without an ME (e.g. a cell phone), the UE is 
also referred to as a subscriber for better description. The home network (i.e. the HLR/AuC) 
is a part of the AKA mechanism. The VLR/SGSN has direct connection with the UE, the 
VLR/SGSN is contacting the HLR at the home network of the UE, and the AuC performs 
the core functions to generate parameters for authentication. The components and tasks 
are similar to the GSM system, with the addition of the SGSN that is responsible for the 
packet data service. The detailed steps of UMTS authentication protocol include: 


(1) The UE initiates an authentication request by sending the IMSI to the serving network 
(i.e. the VLR/SGSN). 

(2) The VLR/SGSN forwards the authentication request and the IMSI to the HLR of the 
home network of the UE. 

(3) In the home network, the HLR forwards the IMSI to the AuC. 

(4) The AuC retrieves the corresponding K of the supplicant and generates authentication 
vector (RAND, XRES, CK, IK, AUTN). 

(5) The HLR forwards the authentication vector to the VLR/SGSN of the serving network. 

(6) The VLR/SGSN stores the XRES, CK, and IK, and forwards the RAND and AUTN to the 
supplicant. 

(7) The supplicant verifies the MAC and the SQN (part of the AUTN that will be illustrated 
later); and generates RES, CK, and IK. 

(8) The supplicant sends RES to the VLR/SGSN. 

(9) The VLR/SGSN compares the XRES generated by the AuC and the RES generated by 
the supplicant. If matches, then the authentication succeeds. 


In the UMTS authentication protocol, the UE is authenticated by comparing the XRES 
and the RES at the VLR/SGSN. The VLR/SGSN is also authenticated by verifying the AUTN 
at the UE side. If the AUTN is legitimate and fresh (i.e. was not sent beforehand to the 
USIM), then the UE can confirm that the serving network is connected to the legitimate net- 
work operator. The AKA mechanisms relies entirely on the long term secret key K, which is 
shared between the subscriber and the home network HLR/AuC. K is a 128-bit key stored 
ina USIM and the HLR/AuC. The secret key is never exposed to the serving network during 
the authentication process. 


12.3.1.2 Authentication Vector Generation 
The authentication vector (AV) consists of five fields, s.t., 


AV = RAND||XRES||CK||IK||AUTN, 


where RAND is a pseudo random number, XRES is the expected response, CK is the cipher- 
ing key that will be used for encryption, and IK is the integrity key that will be used for 
identity protection. The AUTN is the authentication token. 


AUTN = (SQN @ AK)||AMF||MAC, 


where SQN is a sequence number that is used to prevent replay attacks. AMF is the authen- 
tication and key management field that is used to direct a subscriber of the operator to 
ensure that a particular 3GPP authentication vector for that subscriber is used in the serving 
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Figure 12.5 Generation of authentication vector. 


network. MAC is the message authentication code. AK, CK, and IK are the three tempo- 
rary keys derived during an authentication process. Technically, the keys are not part of 
the authentication, but are part of the Key Agreement mechanism. Therefore, the process 
is known as Authentication and Key Agreement (AKA) mechanism in the UMTS secu- 
rity. An illustration of the authentication vector generation is shown in Figure 12.5. The 
authentication vector is generated by five cryptographic functions: 


e fl: the network authentication function; 

e f2: the user authentication function; 

e f3: the cipher key derivation function; 

f4: the integrity key derivation function; 

e f5: the anonymity key derivation function. 


All the five cryptographic functions are one-way functions. In other words, it is relatively 
easy to compute the output with the input, but practically impossible to invert the com- 
putation. Theoretically, nobody can derive the authentication vector without knowing the 
secret K. 

The function fl takes in four inputs, K, AMF, SQN, and RAND. The 64-bit SQN 
is generated to protect freshness of the AV. RAND is 128-bit long seed. A cryptographic 
pseudo-random number generator is assumed available to generate large amounts of unpre- 
dictable RAND. The output of f1 is the 64-bit MAC. The inputs for functions f2, f3, f4, and 
f5 are the same, i.e. K and RAND. The functions f2, f3, f4, and f5 are to generate the 32-bit 
XRES, 128-bit CK, 128-bit IK, and 64-bit AK, respectively. SQN is to protect the freshness 
of AV, thus transmitting it in clear text must be avoided. AK is generated to encrypt SQN. 

There are two approaches to create SQN, one is to assign each user an individual SQN, 
the other is to generate SQN based on a global counter. One can also combine the two 
approaches together, where assigning the most significant part of the SQN as user-specific 
while using a global counter for the least significant part. 3GPP specification 33.102 
describes three options for generating SQN [104]. The network operator is also free to 
choose other ways of generating SQN. One option that applies the combination of two 
parts define SQN as: SQN = SEQ||IND. If AVs are sent in batches, the same SEQ is applied 
for all AVs in one batch to reduce the complexity. There are three ways to generate the 
value of SEQ. 
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e Generated based on an individual counter for each use. 

e Generated based on a global counter and a deviation for each use. The deviation is ideally 
0 for all users but could be different due to synchronization errors. 

e Generated based on an individual counter (which generates 19-bit SEQ1) and a global 
counter (which generates 24-bit SEQ2). SEQ1 is thus use-specific and stored in the 
database. SEQ] is kept constant until SEQ2 wraps around. 


As it shows, the first two ways are extreme cases of the third one. IND (5 bits) is based 
on a global counter. The value of IND is incremented by one for each new AV. When IND 
reaches the maximal value, it is cyclically counted to 0. Thus SQN is 48 bits in total. 


12.3.1.3. AKA on the UE Side 

The AKA on the UE side is illustrated in Figure 12.6. All the functions are performed on the 
USIM with parameters stored on the USIM as well. Therefore, the AKA on the UE side is 
actually handled by the USIM. However, the ME is a must to provide radio interface for data 
transmission. All five functions f1 to f5 are available at the UE side. As mentioned earlier, 
the authentication is completed by comparing XRES that is computed by the AuC and RES 
that is computed by the USIM. RES is the output of f2 with inputs K and RAND. Both RAND 
and AUTN are sent to the USIM. Therefore, RES can be easily computed by the subscriber. 
However, calculating RES alone only authenticates the subscriber to the network operator, 
which is the major flaw of the GSM AKA mechanism. In the UMTS AKA mechanism, the 
subscriber will first authenticate the accessing network. Based on the received RAND and K, 
the USIM computes AK through f5 first. Then, SQN is revealed to the USIM. Note that SQN 
is only known to the AuC and the USIM since AK cannot be generated without knowing K. 
The freshness of SQN is then checked by the USIM. If SQN is valid, then the USIM inputs K, 
AMF, SQN, and RAND to f1. The output is XMAC, which is compared with MAC received 
as part of AUTN. If XMAC matches MAC, then it implies that RAND and AUTN have been 
created by the AuC since it is the only entity that knows K besides the subscriber. In other 
words, the serving network is authenticated to the subscriber if MAC = XMAC. Once the 
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Figure 12.6 Verification on user equipment. 
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serving network is authenticated, the UE generates RES with f2 and replies it to the serving 
network for authentication. CK and IK are generated with f3 and f4, respectively. They are 
kept at the UE side for confidentiality and integrity of data transmission. 


12.3.2 Confidentiality 


Confidentiality is provided in the UMTS for data transmission over radio links between the 
UE and the RNC. As described earlier, once the user and the network have authenticated 
each other, a CK is shared between the serving network and the subscriber. 3GPP Release 
1999 defined one encryption algorithm for secure communications over the radio link [102]. 
The UMTS encryption algorithm is based on a stream cipher f8. As illustrated in Figure 12.7, 
f8 takes in CK and a few other parameters to generate a keystream block that is to be XORed 
with the plaintext block. The decryption is the same by XORing the ciphertext with the 
keystream. The advantage of this encryption is that keystreams can be generated before- 
hand even without knowing the plaintext/ciphertext. Therefore the encryption/decryption 
operation can be done in real time. 

The inputs of f8 include CK, BEARER, COUNT-C, DIRECTION, and LENGTH. CK is 
128-bit long. For a stream cipher, a keystream should never be reused, thus, f8 takes in a few 
parameters besides CK so that the inputs change for each keystream output. BEARER is a 
5-bit radio bearer identity that is to avoid generating the same keystream. Because different 
radio bearers associated with a single user may use the same CK. 

COUNT-C is a 32-bit parameter that varies the input of f8. It is the combination of 
Connection Frame Number/Radio Link Control-Sequence Number (CFN/RCL-SN) and 
Hyper Frame Number (HFN). CFN is a counter in the medium access control layer, and 
RLC-SN is a counter in the radio link control layer. The two short counters change for 
every protocol data unit (PDU). HFN is a longer counter that increments whenever the 
short counter wraps around. If encryption occurs in the medium access control layer then 
CFN is applied. COUNT-C is computed as: 


COUNT-C = HFN + CEN, 


237 


238 


12 UMTS Security 


where HEN is 25 bits and CFN is 7 bits. If encryption occurs in the radio link control layer 
then RLC-SN is applied. COUNT-C is computed as: 


COUNT-C = HFN + RLC-SN. 


In this case, there are two modes: UM and HEN. In the UM mode, HFN is 25 bits and 
RLC-SN is 7 bits. In the AM mode, HFN is 20bits and SN is 12 bits. The longer counter 
HEN is reset to zero whenever an AKA is processed. Thus, the reuse of COUNT-C with the 
same CK is almost impossible in practice. 

DIRECTION is a 1-bit parameter that indicates whether the encryption is for uplink or 
downlink traffic. If LENGTH is 0, then encryption is for uplink (i.e. transmission from UE 
to RNC). If LENGTH is 1, then encryption is for downlink (i.e. transmission from RNC to 
UE). Applying direction indicator avoids using the same keystream to encrypt both uplink 
and downlink transmission, which is not achieved in the GSM system. 

LENGTH is a 16-bit parameter that indicates the length of data to be encrypted. The limit 
of LENGTH is 20 000, or 20 000 bits as the maximal length of a message. Since the length of 
the plaintext block varies for a given BEARER and DIRECTION, LENGTH depends on the 
RLC PDU/MAC signaling data unit (SDU) size, number of RLC PDUs/MAC SDUs that may 
be sent in a single physical layer frame for a given BEARER and DIRECTION. The length 
of the output keystream is determined by LENGTH. The standard f8 algorithm is specified 
to support any lengths and length granularities. 

KEYSTREAM is the output of f8. It has the length of the plaintext block, which consists 
of the payload of the particular RLC PDUs/MAC SDUs to be encrypted. The encryption 
is performed by XORing the PAINTEXT with the KEYSTREAM. The ciphertext has the 
length of the plaintext block (i.e. LENGTH). At the receiver side, the same CK, BEARER, 
COUNT-C, DIRECTION, and LENGTH are input to f8 to generate the same KEYSTREAM. 
Decryption is performed by XORing the CIPHERTEXT with the KEYSTREAM. 


12.3.3 Data Integrity 


The UMTS provides data integrity protection to authenticate individual control messages. 
Similar to confidentiality, integrity is also provided over the radio links between the UE and 
RNC. The integrity protection is based on a message authentication code. As mentioned 
in Chapter 6, a MAC takes in the message to be authenticated and a shared key. In the 
UMTS integrity mechanism, the key is IK that is generated during the AKA procedure. As 
shown in Figure 12.8, the core function of integrity protection is f9. The function takes in IK, 
COUNT-I, MESSAGE, DIRECTION and FRESH, and outputs 32-bit MAC-I. The MAC-1 is 
appended to each message before sending to the receiver. Once the message (along with the 
MAC-I) is received, the receiver also computes an XMAC-I by running the same f9 function 
with the same inputs. If XMAC-I matches the received MAC-I, then the data integrity is 
verified. Any change in the input parameters will affect the output MAC in a random way. 

IK is the 128-bit integrity key that is generated during the AKA procedure. IK is only 
known to the UE and the RNC. The AuC generates IK but it may not require it afterwards 
because the radio link transmissions are between the UE and the RNC only. 

COUNT-lisa counter that is 32 bits. The counter changes for each message (incrementing 
by 1 for each message), thus it ensures a different input even for the same message. In other 
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Figure 12.8 Message authentication in UMTS. 


words, COUNT-I operates as a nonce that protects the system against replay attacks. The 
most significant part of COUNT-I is a 28-bit HFN. The least significant part of COUNT-I 
is a 4-bit RRC-SN. The COUNT-I is initialized using the same procedure as for COUNT-C. 
The Initial HFN is sent to the network by the user. The user stores the most used HFN from 
the previous connection and increments it for the new connection. 

MESSAGE is the message to be transmitted. Unlike the 20 000-bit length limit set for the 
keystream of f8, there is no limit on the input message length of f9. Although, it was initially 
limited to 20 000 bits as well, however, it will most likely never be reached for f9 data input. 

FRESH is a 32-bit parameter randomly chosen by the RNC and transmitted to the UE. 
The purpose of FRESH is to protect the system against a maliciously-chosen start value for 
COUNT-I, which may cause relay attack on an old MAC-I. 

Radio bearer identity is not part of the inputs for f9 as it is for f8 (i.e. the encryption 
algorithm). However, radio bearer identity is always appended to the message. Thus, the 
output MAC-I is affected by the radio bearer identity, moreover, replay attacks based on 
recording different radio bearers are also unavailable. 


12.3.4 User Identity Confidentiality 


A UE needs to identify itself in many cases in the UMTS. For example, paging, location 
update, attach and detach all require an identity from the UE. The permanent identity of the 
user is IMSI, which is the same in GSM. In order to protect the user identity against passive 
eavesdroppers, the IMSI should not be transmitted very often. Therefore, the UMTS applies 
temporary identities for users in UTRAN. There are two types of temporary identities: TMSI 
in the circuit switched domain and P-TMSI in the packet switched domain. 

The allocation of a temporary identity is shown in Figure 12.9. The SN first request the 
IMSI from the UE. The IMSI is then sent in clear text to the SN. Note that the permanent 
identity needs to be acquired during initial registration because a temporary identity is sim- 
ply a random value to the SN at present. Once the SN acquires the IMSI, it stores the IMSI 
and allocates a unique temporary identity (a TMSI or a P-TMSI). The temporary identity is 
then sent back to the UE for further communications. An acknowledgment is sent by the 
UE to complete the allocation process. 

If a temporary identity renew acknowledgment is not received by the SN, the SN keeps 
both the old and new temporary identities and accept either of them in uplink transmission 
(i.e. from UE to SN). However, in downlink transmission (i.e. from SN to UE), IMST is used 
because the SN is not certain which temporary identity is stored in the UE. The UE will 
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UE SN Figure 12.9 Temporary identity allocation process. 
: IMSI request 
IMSI ,! 
\ TMSI allocation 
TMSI ACK 5 | 


be informed to delete its stored temporary identity. A new temporary identity allocation 
follows after that. 

Besides the temporary identity itself, a location identity is appended to it. For an IMSI, 
it is the location area identity (LAI) that stores the location information. For a P-TMSI, it 
is the routing area identity (RAD, respectively. When a UE is handed over to a new SN, 
the association between IMSI and temporary identity can be fetched from the previous SN 
without initiating another allocation. Moreover, unused AVs (for authentication) can also 
be transferred from the previous SN. If such location information is unknown, then the SN 
must initiate a new temporary identity allocation process as well as the AKA process. 

Note that the user identity confidentiality mechanism does not offer a very good protec- 
tion against active attackers. For example, an active attacker may pretend to be a SN and 
initiate a temporary identity allocation process to fetch the IMSI of a UE. Unfortunately, 
mutual authentication may not be applied here since the UE must be identified before the 
AKA process. 


12.4 Algorithms in Access Security 


As mentioned earlier in this chapter, f8 is the core function for the encryption mechanism, 
and f9 is the core function for the integrity mechanism. 3GPP TS 35.201 has the specifica- 
tions publicly available for the functions [105]. Both f8 and f9 are based on a novel block 
cipher KASUMI, which is specified in 3GPP specification TS 35.202 [106]. In this section, 
the functions and algorithms of f8, f9, and KASUMI are illustrated. 


12.4.1 Encryption Algorithm f8 


Algorithm f8 is the core of the UMTS encryption mechanism to generate the keystreams. 
An overview of f8 is shown in Figure 12.10. Algorithm f8 makes use of the KASUMI block 
function, which operates on 64-bit input with a 128-bit key and 64-bit output block. Two 
64-bit registers are used, one is a static register and the other is a counter. Inputs to the 
static register include a 64-bit initialization value IV, which concatenates 32-bit COUNT, 
5-bit BEARER, 1-bit DIRECTION and a string of 26 zero bits. s.t., 


IV = COUNT||BEARER||DIRECTION I0 ... 0. 


Another input to the static register is CK @ KM, where KM is a 128-bit key modifier con- 
stant that is 01010101 repeated 16 times. For better illustration, let KASUMI,,,(input) be a 
KASUMI operation on a 64-bit input with a 128-bit key. The output W ofthe static register is: 


W = KASUMI cxe@gy(IV). 


The result W is stored in the static register to generate keystream bits. 
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Figure 12.10 An overview of the f8 algorithm. 


BLKCNT is the counter as the second register for f8. This register takes in W (the output 
of the static register), the counter BLKCNT, and the cipher key CK. The inputs change due 
to incrementation of BLKCNT after each operation, thus the register is not static. For each 
operation of the register, it generates a block of keystream bits, where each block has 64 bits. 
Some bits (between 0 and 63) of the least significant bits are discarded from the last block 
to match the total number of bits required by LENGTH (that is between 1 and 20000 bits). 
Let BLOCKS denote the number of required blocks to generate the required keystream bits. 
The value of BLOCKS is determined by LENGTH as follows: 


BLOCKS = [LENGTH /64]. 


The counter for the last block is BLOCKS — 1. Let KSB, denote the output keystream block 
of the ith block. KSB; has a total of 64 bits, e.g. KSB, = KS[0] ... KS[63], then the current 
output keystream block is computed as follows: 


KSB,, = KASUMI ¢x(W @ (n — 1) @ KSB,, ,), 
and the bit by bit keystream is: 


KS[64(n — 1) +i] = KSB, [i], O<i< 63. 


12.4.1.1 Integrity Algorithm f9 

Algorithm f9 is the core function for 3GPP integrity mechanism. The specification of f9 is 
detailed in 3GPP TS 35.201 [105]. As shown in Figure 12.11, f9 is also based on the same 
block cipher KASUMI used by the confidentiality algorithm f8. The input of f9 is a padded 
string (PS), which is the concatenation of 32-bit COUNT, 32-bit FRESH, MESSAGE (with 
a length of LENGTH), 1-bit DIRECTION and a string in the form of 10... 0. The string has 
a single “1” bit followed by between 0 and 63 “O” bits so that the total length of the input is 
an integral multiple of 64 bits, i-e. 


PS=COUNT||FRESH||MESSAGE||10 .... 0. 


Unlike 8, there is no limitation on input length for f9. For any input to f9, it generates a 
32-bit output MAC-I with the integrity key IK. 


241 


| 12 UMTS Security 


COUNT || FRESH || MESSAGE || DIRECTION || 10...0 
! 


r \ 
PSo PS, PS» ~~ PSprocks-1 
v v v v 
IK—»|KASUMI Hos IK—>KASUMI| | IK->KASUMI] IK @KM 
Oo 0; 0» === Opnocks-1 
>d dh > >|KASUMI 


Ofinal (MAC-I) 


Figure 12.11 The f9 integrity mode. 


Let BLOCKS be the number of blocks (64 bits each) of the initial input. Let PS, be the input 
of the (i + 1)th block, the padded string is divided as follows: 


PS = PSo||PS,II --- PSgrocxs-1- 


There are two parts in the f9 algorithm. The first part uses KASUMI in a form of CBC- 
MAC mode, where the output of each block operation is input to the next block operation. 
The operation of each block is: 


0, — { KASUMIx(PS,). i=0, 
i ‘| KASUMI,(PS; ® O;_,), 1<i< BLOCKS -1. 


The outputs O, for all block operations are XORed together and input to the second part 
of f9. The second partis a single block operation that generates the final MAC-I. In this block 
operation, the input key is IK@KM, where KM is the 128-bit key modifier that is 10101010 
(AA in HEX) repeating 16 times. Thus, the output of the final block operation is 


Ofnal = KASUMI xegxm(Op ® O; ®- +: ® Oprocgs-1): 


The 32-bit MAC-I is the left-most 32 bits of O¥,). The right-most 32 bits of Ofnq: are 
discarded. 


12.4.2 Description of KASUMI 


Both confidentiality algorithm f8 and integrity algorithm f9 are based on the block cipher 
KASUMI. KASUMI was designed by the Security Algorithms Group of Experts (SAGE) for 
3GPP to use in UMTS security system. The specification of KASUMI is detailed in 3GPP TS 
35.202 [106]. An overview of the KASUMI algorithm is shown in Figure 12.12. 


12.4.2.1 An Overview of KASUMI Algorithm 

KASUML is a block cipher that takes in 64-bit input and generates 64-bit output under the 
control of a 128-bit key. The core of KASUMI is an eight-round Feistel structure. In each 
round, the input is divided into two parts, where the 32 most significant bits are the input 
to the left hand side, and the 32 least significant bits are the input to the right hand side. 
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Figure 12.12 KASUMI block cipher. 


A 16-bit round key is input to each round. The round keys are derived from the original 
128-bit key using a fixed key schedule. 

Let L; and R; be the two halves input to the ith round. The 64-bit input be J is divided into 
two 32-bit strings Ly and Rp, s.t., 


T=RyllLy. 
Let the round function be F;,(-) for the ith round (1 <i < 8), then the output of each round 
is computed as follows: 

L, = F(KL;, KO;, KI;, L;_,) ® Rj_}, 

R, = Li, 


244 


12 UMTS Security 


where KL,, KO,, KI, are round keys for the ith round. One can see that KASUMI follows 
Feistel structure: the right half of each round is KORed with the output of the round func- 
tion F,(-), and the halves are swapped for output. Note that the swapped outputs of the 
ith round are inputs to the (i+ 1)th round. The final output of a KASUMI function is the 
concatenation of the outputs of the last round as follows: 


Output = L,||Rg. 


12.4.2.2 Round Function F,(-) 

For the ith round, the round function F,(-) takes in the 32-bit left input (i.e. L,_,) under the 
control ofa round key (K;), and outputs a 32-bit output that is to be XORed to the right input 
R,_,. The round key K; is a composition of subkeys KL,, KO,, and KI;. The round function 
comprises of two functions, i.e. FL(-) and FO(-). Depending on a specific round, the F;(-) 
has two different forms. 


e For rounds 1, 3,5, and 7, the round function is defined as: 
F,(K;, L;_1) = FO(KO,, KI,, FL(KL;, L,_,)). 
e For rounds 2, 4, 6, and 8, the round function is defined as: 


F(K,, L;_,) = FL(KL,, FO(KO,, KI;, L;_,)). 
12.4.2.3 Function FL 
Function FL(-) takes in a 32-bit input I, which is split into two 16-bit halves I = L||R. First, 
the left half of the input L is ANDed bitwise with subkey KL;, and rotated left by one bit. 
Then, the results is XORed to the right half of the input R. The result is the right half of the 
output R’. Let ROL(x, n) denote rotating left x of n bits, then R’ is generated as follows: 


R’ = ROL(LNKL;;,) OR. 


To generate the left half of the output L’, one need to bitwise OR the output R’ with sub- 
key KL,, and rotate the result left by one bit. After that, the result is XORed to the left 
half of the input L to get the left half of the output L’. Mathematically, L’ is generated 
as follows: 


L' = ROL(R' UKL,,1) @L. 


The final output of function FL(-) is the concatenation of the left and right halves as L’||R’. 


12.4.2.4 Function FO 

Function FO(-) also takes in a 32-bit input I, which is split into two 16-bit halves I = L)||Rp. 
FO(.) has a Feistel-like structure with three rounds. In each round, the input of the left half 
goes through a function to generate the right half of the output. The input of the right half 
is directly applied as the left half of the next round. Let R; and L; (1 <j < 3) denote the right 
and left halves of the output of the jth round, respectively. They are generated as 


R; = FI(KI; ;, La ® KO; ;) ® Rip 
L = R,_}. 
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where KI,; and KO;; are subkeys for the i-round of the KASUMI algorithm, and the jth 
round of FO(-). FI(-) is the round function applied in each round of FO(-). The final output 
of the function is 32-bit value L;||R3. 


12.4.2.5 Function FI 

The function FI(-) takes in a 16-bit input J and subkey KJ;;. The input I is split to two 
unequal halves I = Lo||Ro. The left half Ly is 9 bits and the right half Ry is 7 bits. Subkey 
KI,; is also split into 7-bit KI,;, and 9-bit KI;;,. FI(-) also has a Feistel-like structure with 
four rounds. The round function in FI(-) is performed with two substitution box (S-box) 
9-bit S9 and 7-bit S7. In rounds 1 and 3, S9 is applied; in rounds 2 and 4, S7 is applied. The 
four rounds in FI(-) are different from each other. 


(1) In the first round, the inputs are Ly and Ry. The output of the left half L, = Rp. 
To generate the output of the right half R,, bits of Ly are first shuffled by S9. The result 
is then XORed with the zero-extended R,. Mathematically, R, is computed as follows: 


R, = S9(Ly) © (00I|R,), 


where S9(x) is shuffling x by S9. 
(2) In the second round, R, is XORed with subkey KI, ,, to generate L,, s.t., 


L, = R, OKI; 9. 


Then, bits of Ry are shuffled by S7. The result is then XORed with the seven least sig- 
nificant bits (LS7) of R, and subkey KI,,, to get the output R,. Mathematically, R, is 
computed as follows: 


R, = SH(L,) ® LS7(R,) ® KI. 


(3) In the third round, output L, is R,. To generate the output of the right half R,, bits of L, 
are first shuffled by S9, the result is then XORed with zero-extended R,. Mathematically, 
R, is computed as follows: 


R, = SL) ® (00||R,). 


(4) In the last round, bits of L, are shuffled by S7, the result is XORed with R, to generate 
Ly, 8.t., 


L, = S7(L;) ® LS7(R;). 
The output of the right half R, = R;. 
Finally, the output of FI(I, KT, ;) = L,||R,. 
12.4.2.6 S-boxes S7 and S9 
S-boxes S7 and S9 are the heart of function FI. They are designed to shuffle 7 and 9-bit 


inputs, respectively. Let two 6-bit digits [x,,x5,...,X)] and [),,s,.--. Yo] be the input and 
output of S7. Let x;x; indicate AND operation such that 


XjXj =X, NX;- 
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Table 12.2 Decimal look-up table of S-box $7. 


54, 50, 62, 56, 22, 34, 94, 96, 38, 6, 63, 93, 2, 18,123, 33, 
55, 113, 39,114, 21, 67, 65, 12, 47, 73, 46, 27, 25,111,124, 81, 
53, 9,121, 79, 52, 60, 58, 48,101,127, 40,120,104, 70, 71, 43, 
20, 122, 72, 61, 23,109, 13,100, 77, 1, 16, 7, 82, 10,105, 98, 
117,116, 76, 11, 89,106, 0,125,118, 99, 86, 69, 30, 57,126, 87, 
112, 51, 17, 5, 95, 14, 90, 84, 91, 8, 35,103, 32, 97, 28, 66, 
102, 31, 26, 45, 75, 4, 85, 92, 37, 74, 80, 49, 68, 29,115, 44, 
64, 107,108, 24,110, 83, 36, 78, 42, 19, 15, 41, 88,119, 59, 3 


Then the gate logic of S7 is as follows: 

Yo = XX3 BXq DB XXyX4 DB Xs DXXs5 D XsX 4X5 DB Xp DX X65 DB XX 
BXzX%_ DXpXyX_ BXyXsX_ DB X4X5Xe, 

V1 = XX DB XpX4 DB XXq DB Xs BAX Xs BX X3Xs5 DB Xp D XXX DB X3X¢ 
BX,X3X, B 1, 

V2 = Xq BX yX3 BAX, DB XjX_X4 DB XpX3X4 DB XX; D XyX-Xs D XpXg 
BXyX1X_ BAX, BX4X, O 1, 

V3 =X DXyXyX_ DX Xq D XzXyXoXs D XpXyXs D XpX3X5 D XjXyXs 
DXpX_ DX X3Xo, 

V4 = XpXz DB Xz DXjXz DX X4 D XyXyXq DO XpXj,Xq DO XyXs DX, X3X5 
BD XyX4X5 BX X_ BXzX%_ BXyX3X%_ BXX, Ol, 

Vs = Xq D XyXz D XyX3 D XyXpX3 D XyXpXq D XyXs D XX D X4Xs D Xy Xe 
BX XX _ BX yX3X_ DB XzXyX_ DB X.X5X, B 1, 

Vo =X Xz D XX Xz D XyXy BX Xs DO X3X5 DX_ DX yXy Xp D XpX3Xe 
BX X4X_ BXyX5Xe. 

In practice, one may apply the decimal look-up table of S7, as detailed in Table 12.2. 
Similarly, let [x,,X,, ... ,Xp] be the input and [y,,y,, ... ,¥9] be the output of S9, the gate logic 
of S9 is as follows: 

Yo = XX B Xz BA Xs DX 5X5 D XoX7 DB XyX7 OX X7 BX4yXg OD XsXe 
@ X,X, @ 1, 
Vy =X BXpXy BAX, OX yXq DB XjXq D XyX5 BX3X5 OX; BAX, O XX, 
@ X;Xz @ 1, 
Vo =X DXX3 BX3Xq D XoXs DXX¢ D XsX%p DX 5X5 DB X4X7 D X5X7 
BXX, OX, OXpX, O1, 
V3 =Xy BAX, BXpyX, BAX, BXs DXpyXo DX X_ DB XjX7 OD XyXy DX Xe 
@X>Xg, 
Va = XX BAXz DBXy DX ors BX3X_ DXoX7 B XoX7 DBAXg DXXg O X3Xz, 
Vs =X_ DXyXq4 DB XyXs DX oX 5 DA Xp DB X3X7 O XyX7 DX 6X7 DXsXg O XoXz, 
@OXxXX, Ol 
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Table 12.3 Decimal look-up table of S-box 9. 


167,239,161, 379,391,334, 9,338, 38,226, 48,358, 452,385, 90,397, 
183,253,147, 331,415,340, 51,362, 306,500,262, 82,216,159, 356,177, 
175,241,489, 37,206, 17, 0,333, 44,254,378, 58,143,220, 81,400, 

95, 3,315,245, 54,235,218, 405,472, 264,172,494, 371,290,399, 716, 
165,197, 395,121,257, 480, 423,212,240, 28,462,176, 406,507, 288,223, 
501, 407,249,265, 89,186,221, 428,164, 74,440,196, 458, 421, 350,163, 
232,158,134, 354, 13,250,491,142,191, 69,193,425, 152,227, 366,135, 
344, 300,276, 242, 437, 320,113,278, 11,243, 87,317, 36, 93,496, 27, 


487,446,482, 41, 68,156,457,131,326, 403,339, 20, 39,115,442,124, 
475,384,508, 53,112,170,479,151,126,169, 73,268,279, 321,168,364, 
363,292, 46,499,393,327,324, 24,456,267,157, 460, 488,426, 309,229, 
439,506,208,271, 349,401, 434,236, 16,209,359, 52, 56,120,199,277, 
465,416,252,287,246, 6, 83,305,420,345,153,502, 65, 61,244,282, 
173,222,418, 67,386,368,261,101,476,291,195,430, 49, 79,166,330, 
280, 383,373,128, 382,408,155, 495, 367, 388,274,107,459,417, 62,454, 
132,225, 203,316,234, 14,301, 91,503,286,424,211,347,307,140,374, 


35,103,125,427, 19,214, 453,146, 498, 314, 444, 230, 256, 329,198, 285, 
50,116, 78,410, 10,205,510,171,231, 45,139,467, 29, 86,505, 32, 
72, 26,342,150, 313,490, 431,238, 411, 325,149,473, 40,119,174, 355, 
185,233,389, 71,448,273,372, 55,110,178, 322, 12,469, 392,369,190, 

1,109, 375,137,181, 88, 75,308,260,484, 98,272,370,275,412,111, 
336,318, 4,504,492,259,304, 77,337,435, 21,357,303, 332,483, 18, 
47, 85, 25,497,474, 289,100, 269,296,478,270,106, 31,104,433, 84, 
414,486,394, 96, 99,154,511,148, 413, 361, 409, 255,162,215, 302,201, 


266, 351, 343,144, 441, 365, 108,298,251, 34,182,509, 138,210, 335,133, 
311, 352, 328,141, 396, 346, 123, 319, 450, 281, 429, 228,443,481, 92,404, 
485,422,248,297, 23,213,130,466, 22,217,283, 70,294, 360,419,127, 
312,377, 7,468,194, 2,117,295, 463, 258,224, 447,247,187, 80,398, 
284, 353, 105, 390,299,471,470,184, 57,200,348, 63,204,188, 33,451, 

97, 30,310,219, 94,160,129,493, 64,179,263,102,189, 207,114, 402, 
438,477, 387,122,192, 42,381, 5,145,118, 180, 449, 293, 323,136, 380, 

43, 66, 60,455,341, 445,202,432, 8,237, 15,376,436,464, 59,461 


Vo =Xq DXyX3 OX Xs DB XX D X4Xs D X3X%p D XyXo D XsX_ D X7 OX Xg 
BX3X. OX Xe, OB X7Xg, 

V7 = XX D XpX2 DX, Xq DB Xz DY XyX3 DB XpX3 DB XyXs DY XpX%_ D X3X_ D XpXz 
@X5X7 BX, OB 1, 


Vg =XoX, B XX, BXzX, BX X, BXX;, BAX, BX, BX~Xy OB X3zXg. 


The decimal look-up table of S9 is detailed in Table 12.3. 


12.4.2.7 Key Schedule 

The input key K to the KASUMI algorithm is 128 bits. All the round keys and sub keys are 
derived from K. First, the 128-bit key K is divided into eight 16-bit sub keys K,, 1 <i < 8 as 
follows: 


K =K,|IKyll ... [IKe. 
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In addition to K, a modified key K’ is also used. K’ is derived from the original key by 
XORing with 128-bit HEX value: 


C = 123456789ABCDEFFEDCBA9876543210. 
Thus the modified key is: 
K'=K@C 
The modified key is also divided into eight 16-bit parts as follows: 
K’ = Kj ||K}|| ... ||Kg. 
All subkeys of the eight round in KASUMI algorithm are derived from the K; and K/. For 
the ith round, subkeys KL are derived as follows: 
KL, = ROL, 0), 

Rips SKS 
Subkeys KO are derived as follows: 
KO,, = ROL(K;,,,5), 

KO, = ROL(Ki,5, 8), 
KO, = ROL(K,,., 13). 


Subkeys KI are derived as follows: 


KI, = Kip 
KI, = Koi 
Kl Kia: 


Note that the sub key index additions are cyclic, ie.i+j << (+) mod 8. 


12.4.3 Implementation and Operational Considerations 


UMTS security requires the algorithms to accommodate a range of implementation options, 
including both hardware and software implementations. It is required to implement one 
instance of the algorithm using at most 10 000 gates for hardware implementation. It is also 
required to implement the algorithms to achieve an encryption speed that satisfies 2 Mbps 
transmission rate on both the downlink and the uplink. In addition, the encryption through- 
put requirements are based on a clock speed of 20 MHz. In practice, a typical clock speed 
is much greater than 20 MHz thus the algorithm should support much higher throughput 
requirements. Depending on different RLC modes, the implementation and operational 
requirements of new keystream block generation per frame, maximum/minimum number 
of bits per frame, and granularity are listed in Table 12.4. 


12.5 Other UMTS Security Features 


Table 12.4 Implementation and operational requirements. 


RLC - transparent RLC - UM RLC - AM 


New keystream block per frame 10ms > 156 ps > 156 ps 
Maximum number of bits per frame 5114 bits 1016 bits 1024 bits 
Minimum number of bits per frame 1 bit 16 bits 24 bits 
Granularity 1 bit 8 bits 8 bits 


12.5 Other UMTS Security Features 


12.5.1 Mobile Equipment Identification 


The same ME identification method is carried over from the GSM system to the UMTS 
system. An international mobile equipment identity (IMEI) is the unique identity of an 
ME. IMEI may be helpful for a user by tracking the location of the phone. Or, the IMEI 
of a stolen ME may be reported to the network operator, who will deny network access of 
the stolen device. There are no particular protection methods for IMEI from the network 
operator. Only the terminal side can provide protection to its IMEI, for example, making 
it difficult to modify the IMEI when requested by the network. IMEI does not participate 
in the UMTS access security except for some important features in the network that can 
only be based on the value of IMEI, e.g., making emergency calls with a cell phone that is 
without a USIM. 


12.5.2 Location Services 


UMTS tracks user location to apply network service with mobility. Authentication param- 
eters and temporary identities can be quickly allocated if location of a user is tracked and 
stored. In addition, many services can benefit from location service. For example, automati- 
cally update weather information for user’s current location. However, location information 
is private to the user. Security mechanisms are needed to protect against leakage of location 
information to unauthorized parties. In practice, users are in charge of who know about 
their whereabouts. Users can control applications on an ME whether they can track and 
distribute the location information. 


12.5.3 User-to-USIM Authentication 


USIM is a critical part of the UMTS security. Therefore, user-to-USIM authentication is a 
must before a user gets access to the network. The UMTS carries over the feature from the 
GSM system by using a Personal Identification Number (PIN) that is known only to the 


249 


250 


12 UMTS Security 


user and the USIM. The PIN is 4-8 digits long, given to the USIM before network access is 
granted. However, once the authentication is done for a USIM (with an ME), user-to-USIM 
authentication does not provide further protection against theft of the ME. 


12.6 Summary 


In this chapter, the UMTS security is introduced. Since the UMTS is developed based on 
the GSM system, several security mechanisms are reused with modifications. The authen- 
tication and key agreement of the UMTS is a challenge-response scheme that achieves 
mutual authentication. Both cipher key and integrity key are generated during the AKA 
process. Data confidentiality and integrity are both provided in the UMTS security. Com- 
pared with the GSM system, integrity protection is added in the UMTS. The confidentiality 
and integrity are provided by algorithms f8 and f9 respectively. Both algorithms are based 
on another block cipher - KASUMI. Besides network access security, other security fea- 
tures such as ME identification, location service, and user-to-USIM authentication are also 
provided in the UMTS security. While GSM security has flaws, UMTS is considered much 
better improved in security. 


13 


LTE Security 


The International Telecommunication Union Radio Communication Sector (ITU-R) 
established standards for 4G connectivity in March 2008. 4G requires a connection speed 
for mobile/stationary user to have a peak data rate of at least 100 Mbps/1 Gbps, respectively. 
Long-term evolution, commonly referred to 4G LTE, is a standard for wireless communica- 
tions of high-speed data for mobile devices developed by the Third Generation Partnership 
Project (3GPP). LTE is based on the global system for mobile (GSM) and Universal Mobile 
Telecommunications System (UMTS) network technologies. The increase of capacity and 
speed is because of improvements on different radio interface and core network. LTE 
are the most popular upgrade path for carriers with both GSM/UMTS and CDMA2000 
networks. LTE is also known as evolved packet system (EPS) and system architecture 
evolution (SAE). The three terms are interchangeable in this chapter. LTE security is based 
on the evolution of UMTS security, but has in fact improved much further. In this chapter, 
LTE security as well as some other related 4G security issues are discussed. 


13.1 LTE System Architecture 


An overview of the LTE/EPS basic architecture is given in Figure 13.1. It consists of 
user equipment (UE), evolved UMTS Terrestrial Radio Access Network (E-UTRAN), and 
evolved packet core (EPC). UE is connected to the EPC over E-UTRAN, i.e. the LTE access 
network. The EPC is connected to Internet Protocol (IP) network or the Internet [107]. UE 
is a cellular device that contains a mobile equipment (ME), i.e. a cell phone and a Universal 
Integrated Circuit Card (UICC). A UICC card serves the same role as a subscriber identity 
module (SIM) card in GSM or a universal subscriber identity module (USIM) card in 
UMTS. Despite their technical difference inside the cards, the same outer appearance of 
the three modules makes them widely recognized as SIM cards. Personal information such 
as contacts and text messages may be stored on a UICC card. It stores more importantly 
several security related parameters, such as international mobile subscriber identity IMSI) 


Security in Wireless Communication Networks, First Edition. Yi Qian, Feng Ye, and Hsiao-Hwa Chen. 
© 2022 John Wiley & Sons Ltd. Published 2022 by John Wiley & Sons Ltd. 
Companion website: www.wiley.com/go/qian/sec51 
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Figure 13.1 LTE architecture. 
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Figure 13.2 Evolution of services provided by GSM, UMTS, and EPS. 


(i.e. the subscriber identifier), keys, and authentication algorithms. Because of backward 
compatibility, a UICC is also responsible for running the SIM and USIM applications. 

An E-UTRAN comprises of multiple evolved NodeBs (eNBs) that are the base stations 
for LTE radio network. An eNB is a radio component of LTE network that connected to 
the core network that communicates directly through wireless links with UEs, like a base 
transceiver station in GSM networks. An eNB demodulates radio frequency (RF) signals 
and transmits IP packets to the core network. It also modulates IP packets and transmits 
RF signals to UE. The interface that connects eNBs is X2. Note that there is no separate 
controller element for eNBs. The simplification allows lower response time in LTE. The 
EPC is the latest evolution of the 3GPP core network architecture. The GSM architecture 
relies on circuit-switching to provide services. Though GPRS added packet-switching to 
transport packets, circuits still transport voice and short messages. The UMTS system archi- 
tecture introduces a dual-domain concept to the core network side. LTE/EPS uses IP as the 
key protocol to transport all services. Therefore, the EPC did not have a circuit-switched 
domain anymore as an evolution of the packet-switched architecture used in GPRS/UMTS. 
Figure 13.2 illustrates such evolution from GSM to EPS. The EPC comprises of four major 
components, mobility management entity (MME), home subscriber server (HSS), serving 
gateway (S-GW), and packet data network gateway (P-GW). An access security manage- 
ment entity (ASME) is also a component of the EPC. However, it is assumed by the MME 
for E-UTRAN access networks. 


e The MME deals with the control plane (signaling data). It handles signaling related to 
mobility and security for E-UTRAN access. The MME is also responsible for tracking and 
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Figure 13.3. LTE communications planes. 


paging a UE that is in idle-mode. The MME also plays an important role in LTE mobility, 
both in handover between eNBs and handover between LTE and other 3GPP accesses. 
An MME isa termination point of the non-access stratum (NAS). 

e The ASME is an entity that receives the top-level keys in an access network from the 
HSS. For EPS, the role of the ASME is assumed by the MME. 

e The HSS is based on the home location register (HLR) and authentication center (AuC) 
that are in previous generations of cellular networks. Basically, the HSS is a database that 
contains user-related and subscriber-related information, e.g. IMSI and keys. It provides 
support functions in user authentication and access authorization, mobility manage- 
ment, and call/session setup. 

e The S-GW deals with the user plane (user data). It interconnects the radio access network 
and the EPC. Incoming and outgoing IP packets to a UE are routed by the S-GW. A S-GW 
is logically connected to P-GW. 

e The P-GW deals with the user plane. It interconnects the EPC and the external IP net- 
works. The networks are also known as packet data network (PDN). The P-GW routes 
packets to and from the PDNs. The P-GW also performs various functions such as IP 
address/IP prefix allocation, policy control, and charging. While S-GW and P-GW are 
specified independently, they may be combined together as they are logically connected 
by network vendors. 


LTE has a flatter architecture compared with UMTS. LTE separates control plane (i.e. for 
signaling data) and user plane (i.e. for user data) as shown in Figure 13.3. The two logical 
planes are multiplexed into the same RF signal that is transmitted between a UE and the 
E-UTRAN. Data from different planes is routed to different end points. Signaling data is 
routed to the MME, while user data is routed to S-GW. 


13.2 LTE Security Architecture 


LTE security reuses UMTS authentication and key agreement (AKA) mechanisms. There- 
fore the use of USIM is required (however, GSM SIM is excluded). Compared with USIM, 
LTE further extends the key hierarchy (details will be given in Section 13.3). LTE provides 
greater protection for backhaul networks to ensure the security of EPC. LTE also integrates 
inter-networking security for legacy and non-3GPP networks [108]. LTE has a trust model 
that is similar to that of UMTS. The EPC is the secure core network and the E-UTRAN is 
a radio access network that is vulnerable to attack. Since a radio network controller does 
not exist in LTE, the UE user plane security is terminated in the eNB. There are five set of 
security features defined by 3GPP for LTE [109], as shown in Figure 13.4. 
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Figure 13.4 Overview of LTE security architecture. 


e Network access security (I): The set of security features that provides the UEs with secure 
access to the EPC and protect against various attacks on the radio link. 

e Network domain security (II): The set of security features that protects against attacks on 
the wire line network and enable nodes to exchange signaling data and user data in a 
secure manner. 

e User domain security (IID): The set of security features that provides a mutual authentica- 
tion between the USIM and the ME before the USIM access to the ME. 

e Application domain security (IV): The set of security features that enables applications in 
the UE and in the provider domain to securely exchange messages. 

e Non-3GPP domain security (V): The set of features that enables the UEs to securely access 
to the EPC via non-3GPP access networks and provides security protection on the radio 
access link. 


Security over the LTE air interface is provided through strong cryptographic techniques. 
The backhaul link from the eNB to the core network makes use of Internet key exchange 
(IKE) and the IP security (IPsec) protocol when cryptographic protection is needed. Strong 
cryptographic techniques provide end-to-end protection for signaling between the core net- 
work and UE. Therefore, the main location where user traffic is threatened by exposure is 
in the eNB. 

Moreover, to minimize susceptibility to attacks, the eNB needs to provide a secure 
environment that supports the execution of sensitive operations, such as encryption 
or decryption of user data, and the storage of sensitive data like keys for securing UE 
communications, long-term cryptographic secrets, and vital configuration data. Likewise, 
the use of sensitive data must be confined to this secure environment. 

Even with the aforementioned security measures in place, one must consider attacks on 
an eNB, because, if successful, they could give attackers full control of the eNB and its sig- 
naling to UEs and other nodes. To limit the effect of a successful attack on one eNB, attackers 
must not be able to intercept or manipulate user and signaling plane traffic that traverses 
another eNB - for example, after handover. 
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13.5.1 LTE Key Hierarchy 


As mentioned earlier, LTE has extended key hierarchy of UMTS. More keys are applied in 
LTE security. In this section, an overview of LTE keys is given for better understanding in 
further security mechanisms. 3GPP TS 33.401 specification [110] defines key distribution 
and key derivation scheme for EPS. The key hierarchy is shown in Figure 13.5. K is the per- 
manent key shared between the UICC (the USIM on the UICC) and the AuC (in the HSS). 
CK and IK are the pair of keys derived in the AuC and on the USIM during an AKA process. 
Since EPS AKA is based on UMTS AKA, those three keys are shared between UE and HSS 
in EPS. Although CK and IK are derived in EPS security, they are handled differently. The 
two keys are used to generate an intermediate key K,.,,, between UE and ASME for fur- 
ther EPS AKA. Besides Ks, EPS security also includes the following keys: K.ypg, Kyas,_» 


KN AS in: 2 Kop.,, - BRC » and BRRC one " 


e K.yp is a 256-bit key derived by UE and MME from K,.,,, when the UE goes to 
ECM-CONNECTED state or by UE and target eNB during eNB handover. 

e Kyys,,, 256-bit is an encryption key that is derived by UE and MME from Kygyz using the 
key derivation function (KDF). It is used to provide confidentiality for NAS traffic with a 
particular encryption algorithm. 

e Kyas,,, iS a 256/128-bit integrity key that is also derived by UE and MME from Kysyp 
using the KDF. It is used to provide integrity for NAS traffic with a particular integrity 
algorithm. 

e Kyp,,, isa 256/128-bit encryption key that is derived by UE and eNB from K,yz, as well as 
an identifier for the encryption algorithm (i.e. NAS-enc-alg and Alg-ID) using the KDF. 


{ Kwasene }--{ Kwasint _}-3----------4 KeNB  fgrssnernnneeenneeeecceennne 

UE/MME sel. 

Kupene Krrcint Krrcenc 
UE/eNB 


Figure 13.5 Key hierarchy in LTE. 
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This key is used to provide confidentiality for user plane traffic with a particular encryp- 
tion algorithm. 

© Kggc,,, is a 256/128-bit integrity key that is derived by UE and eNB from K,yg, as well as 
an identifier for the encryption algorithm (i.e. UP-enc-alg and Alg-ID) using the KDF. 
This key is used to provide confidentiality for radio resource control (RRC) traffic with a 
particular encryption algorithm. 

© Kggc,, is a 256/128-bit integrity key that is derived by UE and eNB from K,yg, as well as 
an identifier for the integrity algorithm (i.e. UP-int-alg and Alg-ID) using the KDF. This 
key is used to provide integrity for RRC traffic with a particular integrity algorithm. 


Figure 13.6 shows the dependencies among the different keys, and how they are derived 
from the network nodes point of view. K, CK, and IK are the three keys that exist in UMTS. 
Despite those three keys, all the others keys in EPS are derived from the core function KDF, 
which is defined in the 3GPP TS 33.220 specification. The KDF is an HMAC function that 
is based on SHA-256. Therefore the output of the KDF is 256 bits, which is the length of 
the EPS keys. Nonetheless, in case the encryption or integrity algorithm used to protect 
NAS, UP, or RRC requires a 128-bit key as input, the key is truncated by function Trunc 
to 128 bits. The function Trunc takes as input a 256-bit string and returns the 128 least 
significant bits of that string as output. The keys are also derived on the user side. Instead 
of deriving them with different components, the ME simply derives all the keys with the 
same process performed on the network side. EPS key hierarchy ensures that keys used 
for one access network cannot be used in another access network. It also ensures that the 
same key is not used for multiple purposes or with different algorithms. Moreover, the key 
hierarchy makes it possible to frequently change the keys used between a UE and eNBs 
without changing the master secret key K. 


CK IK | Kena + NH | —+ | 256 256 | 
SNig, SQN @AK | NH-+Q | | 4 | +|K’ enw Kane 
.k <] 3 
! KDF ——— Physical cell ID, ' ! 
Bice ! EARFCN-DL eNB 


Kasme ws Ba 
>| ens 
' NAS-enc-alg, 28 NS OUNT 7 
Alg-ID :UP-enc-alg, | RRC-int-alg, | RRC-enc-alg,| 
ee Oe oe fl | | 

KDF KDF / i KDF / \. KDF \. KDF ' 
a a i 2564 256] 256) 
Knasene Kyasint Kupenc Krrint Krrenc | | 
256 y 256y v v v 
' Trunc Trune / '  \ Trunc / Trunc / Trunc / } 
128y 128y i 128 128 } 1284 
Kyasenc Kyasint MME Kupenc Krrint Kerenc | | 


Figure 13.6 Key derivation in LTE. 
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13.3.2 LTE Authentication and Key Agreement 


Mutual authentication between the UE and the EPC is an important security feature in the 
LTE security framework. The UMTS AKA protocol has already provided mutual authen- 
tication, as a good foundation for LTE AKA protocol. LTE AKA provides mutual authen- 
tication between the UE and the EPC, ensuring that no fraudulent entities can pose as a 
valid network node. Besides entity authentication, LTE AKA also produces keying material 
forming a basis for UP RRC and NAS ciphering keys, as well as RRC and NAS integrity 
keys. One must keep in mind that although LTE is backward compatible with GSM service, 
however, SIM cards are not allowed in LTE for AKA because they do not provide adequate 
security due to one-way authentication and weak keys in GSM system. The LTE AKA pro- 
cess is sketched in Figure 13.7. The 11 steps can be seen as three parts: request, challenge, 
and response. 

Request: 


(1) The MME (serving network) initiates by requesting the user identity, which is the same 
as UMTS. 

(2) A UE replies with an identity response that is further relayed to the HSS (home net- 
work). There are two possibilities for a UE identity response. First, ifa UE has authen- 
ticated itself to the MME (serving network) before, then a temporary identity globally 
unique temporary identifier (GUTI) exists. GUTI will be sent back as a response to 
the request. On the other hand, if a GUTI is not available, a UE sends its permanent 
identity IMSI as a response. 


UE eNodeB MME HSS 
1. Identity request 


3. AUTH data request 
H (GUTI/IMSI, SNig) 
_— 


4. Generate AV 


' 5. AUTH data response 
' AV = (RAND, AUTN, XRES, Kysyy_) 
P 


2. Identity response (GUTI/IMSI) 


‘6. User authentication request (AUTN, RAND) 
i - 


7. Verify AUTN 
8. Compute RES, CK, IK 


9. User authentication response (RES) 


10. Compare RES and XRES 
11. Compute Kasye y 


Figure 13.7 LTE authentication and key agreement. 
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Challenge: 

(3) The MME forwards the GUTI/IMSI to the HSS. If GUTI is applied, the network 
retrieves user context (i.e. IMSI and K) based on GUTI in HSS [111]. In both cases, it 
is the IMSI of a UE that confirms the identity. A serving network’s identity (SNj,,) is 
also sent to the HSS to authenticate the serving network. 

(4) Once the HSS retrieves the IMSI of the supplicant (i.e. a UE) and the corresponding 
long term secret key K, it generates an authentication vector AV as the challenge part 
of LTE AKA. The AV generation is almost the same as UMTS AKA process, i.e. 


AV = (RAND, AUTN, XRES, K asp)» 


where RAND is a random number, AUTN, and XRES are the same parameters applied 
in the UMTS AKA. Please refer to the previous chapter for more details. The difference 
between LTE and UMTS AY is the key. Keys CK and IK are generated in both LTE and 
UMTS AKA processes, however, LTE AKA does not include them in the AV. Instead, 
the two keys are binded together through a function and create Ky oyp, S.t., 


Kasme = KDF(SNiq. CK|\IK). 


(5) HSS sends AV to the MME. 

(6) The MME sends to the UE the authentication token AUTN and the random challenge 
RAND. Note that K,s,7r is not sent to the UE. It will be generated at the UE side in the 
response part. 

Response: 

(7) USIM verifies whether AUTN can be accepted. 

(8) Then computes CK, IK, and RES. Please refer to the previous chapter for details. 

(9) The RES is sent to the MME for comparison with the XRES. 

(10) The authentication process succeeds if RES = XRES. 
(11) After a success response, the UE computes Kysyp from CK, IK, and SNjq using the 
KDF function. 


Note that the response part from the UE side follows the same process as UMTS AKA. It 
is mentioned in step 3 that SN,, is applied for the authentication of the SN’s identity. It is 
because the generation of K,..y,, takes input SN,, at both UE and HSS, thus if the derived 
keys from Kop are successfully used, the SN’s identity is implicitly authenticated. To expe- 
dite future AKA, a UE may store CK and IK from a run of EPS AKA. The UE shall not store 
the two keys on the USIM, instead, the two keys shall be stored in a non-volatile part of the 
ME memory. It is because that the USIM does not have some of the required fields (e.g. NAS 
COUNT values) to store EPS security context. Moreover, storing CK and IK for EPS AKA 
ona USIM may cause overwriting keys resulting from an earlier run of UMTS AKA. There- 
fore, when a UICC is inserted into another ME, an EPS AKA authentication is required to 
be initiated. This is in contrast to UMTS where the USIM may store the security context to 
avoid another UMTS AKA run. 


13.3.3 Signaling Protection 


LTE separates control plane and user plane, thus, security protection provided for 
radio-specific signaling and user-plane traffic is also separated. 
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13.3.3.1 Protection of Radio-Specific Signaling 

LTE provides confidentiality and integrity between the UE and eNB. The backhaul signal- 
ing between the eNB and MME is protected by IKE/IPsec (which is beyond the scope of 
this book). Specific protocols are also available in LTE to provide end-to-end protection 
of signaling between the MME and UE. In particular, Confidentiality may be provided to 
both RRC signaling and NAS signaling. It is applied at Packet Data Convergence Protocol 
(PDCP) layer for the protection of RRC signaling, which can prevent UE tracking based 
on certain radio signaling information, such as cell level measurement reports, handover 
message mapping, etc. It is an operator’s option whether confidentiality needs to be pro- 
vided for RRC signaling. Confidentiality is usually provided for the NAS signaling by the 
NAS protocol. In fact, if the NAS security has not been activated, the UE would not send 
international mobile equipment identity (IMEI) to the network. Both RRC and NAS sig- 
naling confidentiality protection is recommended to be used. Integrity shall be provided to 
both RRC and NAS signaling. For the RRC signaling integrity, it is applied at the PDCP 
layer only. There is no layer below PDCP being integrity protected. For the NAS signaling 
integrity, it is provided by the NAS protocol. 


13.3.3.2 Protection of User-Plane Traffic 

LTE provides confidentiality between the UE and eNB, while integrity is not provided. 
Nonetheless, support for both confidentiality and integrity is mandatory in the eNB. The 
backhaul traffic between the eNB and the S-GW is protected by IKE/IPsec. Confidentiality 
is applied at PDCP layer and protects the user-plane traffic between the UE and eNB. 
Confidentiality is an operator’s option but is recommended to be used. Integrity is NOT 
provided for the user-plane traffic between the UE and eNB. On one hand, integrity leads to 
expensive bandwidth overhead. On the other hand, it is almost impossible for an attacker 
to intelligently manipulate user plane packets. 


13.3.4 Overview of Confidentiality and Integrity Algorithms 


Both confidentiality and integrity algorithms in LTE security are depending on a 128-bit 
input key. 256-bit input key is another option for LTE confidentiality and integrity 
algorithms. 


13.3.4.1 Confidentiality Mechanism 

The confidentiality of both radio signaling and user-plane traffic is provided by the same 
EEA, as illustrated in Figure 13.8. There are five input parameters to the encryption 
algorithm: KEY, COUNT-C, BEARER, DIRECTION, and LENGTH. 


e KEY is the 128-bit ciphering key (i.e. Kygc, Kyas,, and Kyp,, )- 

e COUNT-C is a 32-bit bearer specific, time and direction dependent value that prevents 
replay attacks. 

e BEARER is an 8-bit radio bearer identity. 

e DIRECTION isa 1-bit value that indicates the transmission direction, i.e. 1 for uplink and 
0 for downlink. 

e LENGTH is the length of the keystream required. Readers shall note that it is the length 
of keystream block, but not the actual bits in it. 
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Figure 13.8 LTE ciphering mechanism. 
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Figure 13.9 LTE integrity mechanism. 


The EEA generates the output keystream block KEYSTREAM based on the five input 
parameters. The encryption is performed by XORing the plaintext block and the keystream 
block. At the receiver side, the plaintext is recovered by generating the same KEYSTREAM 
using the same input parameters, and XORing KEYSTREAM with the ciphertext. Although 
the same algorithm is applied to both signaling traffic and user-plane data, no collision 
will occur between input parameters. Because the BEARER identities are different between 
signaling radio bears used for RRC messages and the radio bearers for user-plane data. 


13.3.4.2 Integrity Mechanism 

Both RRC and NAS signaling integrity are protected by the same evolved packet system 
integrity algorithm (EIA), as illustrated in Figure 13.9. There are five input parameters to 
the integrity algorithm: KEY, COUNT-I, MESSAGE, DIRECTION, and BEARER. 


e KEY is the 128-bit integrity key (i.e. Kyo, and Kyys._ )- 

e COUNT-1 is a 32-bit value that prevents replay attacks. 

e MESSAGE is the message itself. 

e DIRECTION is a 1-bit value that indicates the transmission direction, i.e. 1 for uplink and 
0 for downlink. 

e BEARER is an 8-bit radio bearer identity. 


The output of EIA is the message authentication code or MAC for integrity protection. 
The MAC is then appended to the message when sent. Based on different applications, the 
outputs have different names. That is to say, MAC-I/NAS-MAC for radio/NAS signaling 
integrity protection respectively. The XMAC-I/XNAS-MAC are the corresponding message 
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Figure 13.10 3GPP and non-3GPP access networks. 


authentication code generated at the receivers’ sides, respectively. A receiver verifies the 
data integrity of the message by comparing the XMAC to the received MAC. 


13.3.5 Non-3GPP Access 


LTE supports non-3GPP access, thus E-UTRAN is not the only access technology for a UE 
to reach the EPC. For example, some service operators have already support voice over 
Wi-Fi in addition to their LTE access. In fact, since code division multiple access (CDMA) 
or CDMA2000 is non-3GPP technologies, service providers that are based on those tech- 
nologies shall promote non-3GPP access to LTE. The idea is to use a unique core network 
that provides various IP-based services over multiple access technologies. 

An overview of non-3GPP access to EPC is illustrated in Figure 13.10. Non-3GPP accesses 
are generally categorized into trusted and untrusted groups. Any trusted non-3GPP accesses 
direct interact with the EPC, while any untrusted non-3GPP accesses interact with the EPC 
via the evolved packet data gateway (ePDG). Security tunneling is provided by the ePDG 
to connect UE to the EPC over untrusted non-3GPP access. It is the operator’s decision 
of which non-3GPP technologies being trusted or untrusted. For example, a CDMA based 
operator may trust CDMA access while a WiMAX based operator may trust WiMAX access. 
A trusted access shall have EPS security contexts already to process AKA with the EPC. 
Nonetheless, the access-level authentication is optional for untrusted access. Authentica- 
tion of an untrusted access is provided by IKE/IPsec security association between the ePDG 
and UE using EAP AKA. When UE’s mobility is based on the dual-stack mobile IPv6 pro- 
tocol (DSMIPv6), EAP AKA is optional. Because EAP AKA is already applied between UE 
and PDN-GW by default in DSMIPv6. 


13.4 Handover Between eNBs 


13.4.1 Overview 


Handover from an eNB to another eNB includes two cases. One is handover over X2 
interface, the other is handover over S1 interface. X2-handover occurs between two 
eNBs directly. As shown in Figure 13.11, the source eNB (i.e. eNB,) initiates handover 
by sending a request to the target eNB (i.e. eNB,). The UE security capabilities are included 
in the request message. The target eNB selects both ciphering and integrity algorithms 
with highest priority according to the locally configured list of algorithms. The target eNB 
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Figure 13.11 Handover from a source eNB over X2 to a target eNB. 


then acknowledges handover request with the source eNB and establishes connection 
with UE. A path switch request is sent from the target eNB to the MME after the handover 
process to verify UE’s security capabilities received from the source eNB. If a handover 
is legit, then the MME shall confirm. Otherwise, the MME may log the event and take 
additional measures. 

S1-handover involves MME to the process. In the case of MME handover, S1-handover is 
definitely the choice for process. In S1-handover, a transparent container is created by the 
MME that contains the UE security capabilities. The container is sent to the target eNB 
in the handover request. The target eNB selects both ciphering and integrity algorithms 
with highest priority according to the locally configured list of algorithms. Acknowledg- 
ment and command messages are exchanged in the same way. Different from X2-handover, 
a handover notify message is sent from the target eNB to the MME to verify the UE’s security 
capabilities. If a handover is legit, then the MME shall confirm. Otherwise, the MME may 
log the event and take additional measures. 

Note that there might be a need for the target eNB to get a new key that is unknown to the 
source eNB for security after handover. Therefore, even if an attacker may compromise one 
of the eNBs and obtain its key, the other eNB can still have its keys secure and continue pro- 
viding service to UE. This process is illustrated in Figure 13.12. Details of the key handling 
process is introduced later in this section. 


13.4.2 Key Handling in Handover 


13.4.2.1 Initialization 
Key handling in LTE handover starts with the initialization of K,,, and Next Hop (NH) 
parameter. The initialization process has three steps, as depicted in Figure 13.13. 


(1) K,yp is calculated from the K,5,,, and the NAS uplink COUNT. Whenever a fresh K,yp 
is calculated, both UE and MME calculate the NH parameter according to process 
Proc-NHO0: 


Proc-NHO: 


NCC =0; NH =KDF(Kasyg»Kenp); Kéyp = Kenp- (13.1) 
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Figure 13.12 Handover from a source eNB over S1 to a target eNB with new key derived by the 
MME. 


UE Serving eNB MME 


1. Proc-NHO 


3. Proc-KeNB2 3. Proc-KeNB2 


1. Proc-NHO 


2. Initial context setup request 
(Keng, NCC, NH) 


Figure 13.13 Initialization of NH key derivation parameter and K,y,. 


(2) MME sends initial context setup request to serving eNB providing K,nz, NCC, and NH 
in the AS security context. Serving eNB stores NCC and NH as NH*, and K,yp as K3.p 
for further calculation. 

(3) Both UE and serving eNB run process Proc-KeNB2 that creates new K,yp and 
RRC/UP keys. 


Proc-KeNB2: 
If index increases from previous handover 


K.np = NH". 
If index does not increase from previous handover: 


K.np = KDF(K;yp. target C-RNTI); 


@. 


Derive RRC and UP keys from K,y,; Delete K,xp-- 


C-RNTI is the cell radio network temporary identifier that is used for identifying RRC 
connection and scheduling which is dedicated to a particular UE. C-RNTI is assigned 
by the serving eNB to UE. 


After initialization of K,y, and NH, key handling can be performed in handover. 
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UE ServingeNB- Figure 13.14 Key refresh with 
intra-eNB handover. 
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13.4.2.2  Intra-eNB Key Handling 

The most intuitive handover is intra-eNB handover, where the NCC and NH parameters 
are the same as in previous handover. The 9-step key derivation is described for handover 
procedure in Figure 13.14. 


(1) UE sends measurement report to the serving eNB. 

(2) The serving eNB runs process KeNB1 to create target eNB key (K;,,). 
Proc-KeNBI: create target eNB key (King) —run in UE, eNB, and MME 
as follows, 


Proc-KeNB1: 
If index increases from previous HO: K,., = NH", 


Ki’, = KDF(K,yp PCD. (13.2) 


(3) The serving eNB transfers handover (NCC included) command to UE. 

(4) The serving eNB runs process Proc-KeNB2 to create new K,yp. 

(5) UEruns process Proc-NH1 that updates the NH depending on UE’s current NCC value 
and the NCC value included in the handover command. 


Proc-NH1: 
Temp-NCC = NCC; NH* = NH. 


In UE repeatedly update NH if needed (e.g. Temp = NCC < Received — NCC). UE shall 
try at least MIN-NH-UPDATE (at least 04 in HEX) times before giving up with an error: 


NH* = KDF(KygypNH*), + + Temp-NCC. 
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(6) UEruns process Proc-KeNB1. 

(7) UE runs process Proc-KeNB2. 

(8) UE sends handover confirmation to the serving eNB. 
(9) UE runs process Proc-NH2 to update current NH. 


Proc-NH2: 


NH* =NH; NCC = Temp-NCC; 
Delete NH*; Delete Temp-NCC. 


13.4.2.3 Intra-MME Key Handling 

Hanover between eNBs may occur without changing the MME, or it is called intra-MME. 
X2-handover only applies to intra-MME handover. Figure 13.15 illustrates intra-MME key 
handling process. 
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> 


2. Proc-KeNB1 
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> 
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L¢ 
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Figure 13.15 NH based key refresh with intra-MME handover. 
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(1) UE sends measurement report to the source eNB. 

(2) The source eNB runs process Proc-KeNB1. 

(3) The source eNB sends handover request to the target eNB. The request also includes 
security context NCC, index increase indicator, and Kp 

(4) The target eNB sends handover request acknowledgment to the source eNB. 

(5) Target eNB runs process Proc-KeNB2. 

(6) The source eNB sends handover command (NCC included) to UE. 

(7) UEruns process Proc-NH1 that updates the NH depending on UE’s current NCC. 

(8) UE runs process Proc-KeNB1. 

(9) UE runs process Proc-KeNB2. 

(10) UE sends handover confirmation to the target eNB. 

(11) UE runs process Proc-NH2. 

(12) The target eNB sends path switch request to MME. Note that the path switch message 
is transmitted after the handover process, it is only used to provide keying material 
for the next handover procedure and the target eNB. Since the source eNB has the tar- 
get eNB keys, key separation happens only after two hops. 

(13) MME sends user-plane update request to S-GW. 

(14) MME runs process Proc-NH1 and may update NCC and NH”. 

(15) S-GW sends user-plane update response to MME. 

(16) MME sends path switch acknowledgment together with NCC and NH*. Target eNB 
updates NCC and NH* with the received NCC and NH* respectively. 

(17) MME runs process Proc-NH2. 

(18) Target eNB sends release resource message to source eNB and completes the entire 
handover process. 


13.4.2.4 Inter-MME Key Handling 
If handover is required between different MMEs, it is called inter-MME handover. 
Figure 13.16 describes key derivation steps for inter-MME handover procedure. 


(1) UE sends measurement report to the source eNB. 

(2) The source eNB runs process Proc-KeNB1. 

(3) The source eNB sends handover required message to the source MME. Included in the 
request are AS level security context NCC, Key and index increase indicator. 

(4) The source MME sends forward relocation request to the target MME. Included in the 
request are AS level security context from the source eNB, plus NH and NCC. 

(5) The target MME updates NH by running process Proc-NH1. 

(6) The target MME runs process Proc-NH1 again. 

(7) The target MME sends handover request to the target eNB. Included in the request 
are the AS level security context from the source eNB, plus fresh NH* and NCC. The 
target eNB updates NCC and NH with fresh NH* and NCC in the handover request if 
MME included them in addition to the security context from the source eNB. 

(8) The target eNB sends handover request acknowledgment to the target MME. 

(9) The target eNB runs process Proc-KeNB2 based on the context received from the 
source eNB. 
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Figure 13.16 Key refresh with inter-MME handover. 


>| 


21. Proc-NH2 


(10) The target MME sends forward relocation response to the source MME. 


(11) The source MME sends handover command to the source eNB. Included in the mes- 


sage are NCC and NH* if updated. 


(12) The source eNB sends handover command to UE. Included in the message is NCC 


from the source MME if present, otherwise using the NCC that is in its memory. 


(13) UE runs process Proc-NH1 that updates the NH depending on UE’s current NCC and 


the received NCC in the handover command. 
(14) UE runs process Proc-KeNB1. 
(15) UEruns process Proc-KeNB2. 
(16) UE sends handover confirmation to the target eNB. 


(17) UE runs process Proc-NH2. 


(18) The target eNB sends handover notification to the target MME. 
(19) The target MME sends forward relocation completion notice to the source MME. 


(20) The source MME sends forward relocation completion acknowledgment to the tar- 


get MME. 


(21) The source MME runs process Proc-NH2. 
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Table 13.1 Security algorithms in LTE. 


Identifier Code name Core algorithm 

0000 128-EEAO Null ciphering algorithm 
0001 128-EEA1 SNOW 3G 

0010 128-EEA2 AES 

0001 128-EIA1 SNOW 3G 

0010 128-EIA2 AES 


13.5 Security Algorithms 


Confidentiality of LTE signaling traffic and user plane traffic is protected by EEA. Integrity 
of LTE signaling traffic is protected by EIA. As mentioned earlier in this chapter, algorithm 
identifiers are involved in LTE AKA as well as LTE handover processes. Therefore, there 
are options when implementing EEA and EIA besides different key size. Algorithm iden- 
tifier is a 4-bit value. The security algorithms in LTE are listed in Table 13.1. Algorithms 
EEA1 and EIA1 are identical to the UMTS algorithms with a mapping of LTE parameters 
to UMTS parameters. Both EEA2 and EIA2 will be illustrated in this section with 128-bit 
key input [112]. Readers may have noted that the algorithm identifier has reserved a few 
spaces for future options. For example, EEA3/EIA3 based on ZUC may be the next security 
algorithm choice for LTE. EEA3/EIA3 will also be illustrated in this section with 128-bit 
key input [113]. 


13.5.1 128-EEA2 


As shown in Figure 13.17, EEA2 uses block cipher AES in CTR mode to generate key 
stream. Encryption/decryption are performed by XORing the plaintext/ciphertext with a 
key stream. AES is chosen as the kernel for the following reasons. First eNB needs to support 
network domain security (NDS)/IP which uses AES. Moreover, the KASUMI based 3GPP 
security algorithm has a licensing fee if not used for 3GPP access protection. The AES-CTR 
uses 128-bit counters (T;). Counters are initialized for AES block operation to generate 
key stream. Figure 13.18 illustrates the structure of the first counter block T,. Subsequent 
counter blocks are obtained by applying the standard integer incrementing function [114]. 


Standard Integer Incrementing Function: let n be the number of blocks, b be the block 
size, and m be the number of bits to be incremented. The standard incrementing func- 
tion takes [x],, and returns [x + 1mod 2”],,,. 


In this EEA2 implementation, b = 128 and m = 64 for standard integer incrementing. A 
key stream block is generated by encrypting a counter using AES, s.t., KS(i) = AES(T;). A 
plaintext is partitioned into 128-bit blocks for encryption and decryption. The operation is 
simply XORing a key stream with a plaintext block. 


128-bit Ti Decryption 


13.5 Security Algorithms 


128-bit key 


Plaintext 
block 


Ciphertext 


block 


Figure 13.17 Overview of EEA2. 
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Figure 13.19 Overview of EIA2. 


MSB32(MAC-1) 


sven > 32 bits «—-—-1>5 bits<+|-—-> 1 bit «|» 26 bits «fee BA bits <n 
COUNT BEARERIDIRECTION| 000...0 | First 64 bits of MESSAGE 
ceccennenntnntnntnnnnntenntnnennennenein 128 Dit nnn ttn 


Figure 13.20 First input block (M,) for 128-ElA2. 


13.5.2 128-EIA2 


EIA2 is based on AES-CMAC mode to generate the message authentication code. An 


overview of EIA2 is given in Figure 13.19. The input message and other parameters are 
partitioned into 128-bit blocks for processing. The 32 most significant bits of the final 
output is the message authentication code MAC-I. 

The first input block includes COUNT, BEARER, DIRECTION, zero paddings, and the 
first 64 bits of MESSAGE, as shown in Figure 13.20. The following blocks are partitioned 


MESSAGE except for the last message block M,,. Two subkeys K, and K, are derived from 


the input key for the last message block. Ifthe last block from the original message (e.g. M;,) 
contains 128 bits (a complete block), then M,, = K, ® M*. If My needs padding to be com- 
plete, then M,, = K, ® (M;||10... 0). Subkeys K, and K, are derived using Algorithm 13.1, 
where function «<< is left rotation by bits, i.e. (L « n) indicates n-bit left rotation of L. 
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Algorithm 13.1 EIA2 subkey derivation 
Input: K; 
Output: K,,K,; 
R <0... 010000111; 
L — AES(K,0... 0); 
if MSB, (1) == 0 then 
K,~L«1;K,<K, «1; 
else 
K,-(L «1 ORK, + (K, K)DOR; 
end if 
Return K,, K,; 


13.5.3 EEA3 


3GPP TS 35.221 [115] and 3GPP TS 35.222 [116] specify another set of algorithms, EEA3 
and EIA3 to be applied for LTE security. The two algorithms are based on ZUC, a stream 
cipher algorithm that is named after ZU, Chongzhi, a famous ancient Chinese mathemati- 
cian [113]. The overview of 128-EEA3 is shown in Figure 13.21. The inputs are cipher key 
CK and a 128-bit IV value. The ciphering key is used in bytes as follows: 


CK = CK[0]||CK[1||CKI2] ||, .... ||CK(15]. 


Each block operation generates a 128-bit key stream to encrypt/decrypt a data block. EEA3 
is able to encrypt/decrypt a data block between 1 and 20000 bits long. The 128-bit IV is 
initialized based on COUNT, BEARER, and DIRECTION. The initialization process is illus- 
trated in Algorithm 13.2. 


Algorithm 13.2 EEA3 initialization 
Input: CK; 
Output: Key, IV; 
fori :=0to15do 
Key[i] — CKTi]; 
end for 
fori :=0to3do 
IV[i] — COUNT{i]; 
end for 
IV[4] <— BEARER||DIRECTION||00; 
fori :=5to7do 
IV[i] < 0; 
end for 
fori :=8to15do 
IV[i] — IV{i - 8]; 
end for 
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Figure 13.21 Overview of 
128-EEA3. 
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Figure 13.22 Overview of 128-EEA3. 


Message||padding 


Once IV is generated, it can be applied to ZUC to generate key words Z[i], where i = 
1,2, ..., [LENGTH /32], according to Algorithm 13.3. The encryption/decryption of EEA3 
is the same as other stream ciphers by XORing a keystream with a data block. 


Algorithm 13.3 EEA3 keystream generation 
Input: LENGTH, Key, IV; 
Output: KEYSTREAM; 
L < [LENGTH/32]; 
Allocate memory space for the KEYSTREAM; 
Generate KEYSTREAM; 


13.5.4 EIA3 


EIA3 is a universal hash function using ZUC as its core, as shown in Figure 13.22. The 
final output is a 32-bit MAC value for integrity protection. An initialization vector IV is also 
generated for EIA3, however, it is different from the IV of EEA3. The initialization process 
of 128-EIA3 is illustrated in Algorithm 13.4. 


ZUC is applied to generate L key words KS[1], KS[2], ..., KS[L], where L = [N/32] and 
N = LENGTH + 64. The process of 128-EIA3 keystream generation is illustrated in Algo- 
rithm 13.5. Finally, the accumulator T generates the 32-bit MAC based on the message and 
the keystream based on Algorithm 13.6. Note that k[0], k[1], ..., k[31], k[32],...,k[N — 1] 
are the key bit stream corresponding to the previous key words KS. 
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Algorithm 13.4 EIA3 initialization 


Input: CK; 
Output: Key, IV; 


fori :=0to15do 
Key[i] — CKTi]; 
end for 
fori :=0to3do 
IV[i] — COUNT{i]; 
end for 
IV[4] < BEARER||000; 
fori :=5to7do 
IV{i] — 00000000; 
end for 
IV[8] = IV[O] @ (DIRECTION << 7) 
for i :=9to13do 
IV{i] — IV[i — 8]; 
end for 
IV[14] = IV[6] @ (DIRECTION << 7); 
IV[15] = IVP[7]; 


Algorithm 13.5 EIA3 keystream generation 


Input: LENGTH, Key, IV; 
Output: KEYSTREAM; 


N = LENGTH + 64; 

L <— [LENGTH /32]; 

Allocate memory space for the KEYSTREAM; 
Generate KEYSTREAM; 


Algorithm 13.6 EIA3 MAC Calculation 


Input: LENGTH, plaintext, KEYSTREAM; 
Output: MAC; 


for i := 0 to LENGTH — 1do 

if M[J] == 1 then 

T=TOk;; 

end if 

ciphertext[i] <— plaintext[i] @ KEYSTREAM{i]; 
end for 
T —T®kyenorn' 
MAC « T@ky_y); 


13.6 Security for Interworking Between LTE and Legacy Systems 


13.6 Security for Interworking Between LTE and Legacy 
Systems 


LTE has been deployed by many operators in the world, however, it is not the only wireless 
service provided for most of the operators. For example, some operators still provide GSM, 
UMTS, and LTE to their subscribers simultaneously. Seamless transition between LTE and 
legacy systems must be achieved not only for services but also for security. This section 
illustrates the security for interworking between LTE and UMTS systems, and between LTE 
and GSM systems for both idle mode and handover mode. 


13.6.1 Between LTE and UMTS 


Security for interworking between LTE and UMTS takes place in their serving networks, i.e. 
E-UTRAN and UTRAN correspondingly. As illustrated earlier in this chapter and the previ- 
ous chapter, LTE NAS attaches request messages during AKA process include the UTRAN 
security capabilities of UE. All parameters needed for UMTS security are sent back to the 
UE in the corresponding integrity protected response messages. However, since the two 
systems are not exactly the same, security interworking is thus not as intuitive. 


13.6.1.1 Idle Mode Mobility from E-UTRAN to UTRAN 

If UE has been previously authenticated with the serving GPRS support node (SGSN) 
that is part of an UTRAN, then UE has valid SGSN security context already. As shown in 
Figure 13.23, a routing area update (RAU) request shall be sent to SGSN together with 
P-TMSI and a key set indicator (KSI). Note that LTE only supports packet service, thus 
P-TMSI is applied as user identity. KSI is to indicate cached keys in the SGSN. If the 
network does not have valid cached security context, then the UE must run UMTS AKA 
with the serving network. 

If UE has not been previously authenticated with the SGSN, thus it does not have valid 
cached SGSN security context. As shown in Figure 13.24, UE sends a RAU request, its 
P-TMSI, and a KSI to the target SGSN. In this case, the P-TMSI is mapped from its GUTI. A 
NAS-token is included in the P-TMSI signature. The KSI only indicates KSI, 5y,, which is 
the key indicator of K,5,;,. Both the UE and the target SGSN will assign the value of KSI, oy¢ 
to KSI, i.e. KSI = KSI, syn, thus to locate Kysyp- After that, the target SGSN forwards the 
P-TMSI signature and NAS-token to the MME. The MME verifies the signature by com- 
paring it with a NAS-token. Sometimes the NAS-token needs to be truncated some of the 
most significant bits for comparison. Once the verification succeeds, the security context 
request message is authenticated and authorized. Both the UE and the MME will derive 


Figure 13.23 Interworking from E-UTRAN to UE SGSN 
UTRAN with cached context. ; H 
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Figure 13.24 I|nterworking from E-UTRAN to UTRAN without cached context. 


CK’ and IK’ based on K 45,7 and the current NAS downlink COUNT value indicated by the 
NAS-token, s.t., 


CK" |IK’ = KDF(K,syp, COUNT). 


Note that the UE may not derive the keys simultaneously with the MME in practice. It 
is logical for the UE to perform the operation at this step. After that, the MME sends the 
security context, including UE’s UTRAN and GERAN security capabilities, CK’ ||[K’, and 
KSI ; sp to the target SGSN. Finally, the target SGSN replaces the keys with the ones from 
the MME, Kacy is located with KSI, syyp- 


13.6.1.2 Idle Mode Mobility from UTRAN to E-UTRAN 

Interworking from UTRAN to E-UTRAN is to transfer CK||IK from UE to MME so that 
both MME and UE can derive K’, .,,,, for further LTE service. Mapped context and cached 
context are two specific cases. 


e Mapped context: In this case, UE does not have cached context available. As shown in 
Figure 13.25, UE sends TAU request, together with source system temporary identity, 
KSIggsy, and NONCEy, to MME. Since no cached security context is available, the TAU 
request is sent unprotected. MME then generates a NONCEy yp and fetches CK||IK from 
SGSN based on KSIggcsy and the temporary identity. After that, MME generates a fresh 
mapped K’, ..,, with NONCEyz, NONCEyye, and CK||IK. The final TAU accept message 
is protected using the NAS keys based on K’,.,,, 

e Cached context: In this case, UE has cached E-UTRAN security context. As shown in 
Figure 13.26, UE sends the tracking area update (TAU) request, together with the tem- 
porary identity, KSI 5goy, KSI syjpz, and NONCEy, to MME. The cached security context 
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Figure 13.25 |nterworking from UTRAN to E-UTRAN with mapped context. 
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Figure 13.26 |nterworking from UTRAN to E-UTRAN with cached context. 


algorithms are applied to protect the TAU request message. NONCE,,, is for MME to ver- 
ify if cached context is available. If available, MME is pointed to the source SGSN and 
updates the key set based on KSI ggoy. If cached security context is not available in the 
network, the network will switch to mapped security context and derive K,yp. Kenp is 
delivered to the target eNB on the S1 interface. 


13.6.1.3 Handover Mode from E-UTRAN to UTRAN 

In handover mode, interworking from E-UTRAN to UTRAN always uses mapped context. 
As shown in Figure 13.27, once MME receives RAU request, it shall derive CK’ and IK’ 
from Ko, and the current NAS downlink COUNT value using KDF function. Then, MME 
transfers CK’ ||I[K’ and KSI,5yp to SGSN. KSIysyp is assigned to KSI since UTRAN does 
not support K sup. SGSN transfers RAU acknowledgment and the algorithms to RNC. The 
selected algorithms are indicated to UE in the handover command message. 
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Figure 13.27 |nterworking from E-UTRAN to UTRAN in handover mode. 
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Figure 13.28 |nterworking from UTRAN to E-UTRAN in handover mode. 


13.6.1.4 Handover Mode from UTRAN to E-UTRAN 
The interworking from E-UTRAN to UTRAN in handover case is illustrated in Figure 13.28. 
RNC sends a relocation request to SGSN. SGSN forwards the relocation request, together 
with UE’s E-UTRAN security capabilities (i.e. CK and IK) to MME. MME derives K’, 


based on CK, IK, and NONCEyyp- K,yp is derived at MME based on K’, .,,,.. Then, MME 
sends handover request, including NONCEy yp and K,yp to ENB. KSI sup and KSIggoy are 
also sent to eNB for the purpose to support both mapped and cached context based K,yp. 
eNB is responsible of selecting NAS, UP, and RRC algorithms. They are sent to MME in the 
relocation acknowledgment. MME shall include the information in a relocation response 
and send it to SGSN. It is then forwarded to RNC in a relocation command. RNC shall 
forward it to UEin UTRAN HO command. UE then derives K’, .,,,, and notifies eNB of han- 
dover completion. Finally, eNB notifies MME of the completion. 
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Figure 13.29 |nterworking from GERAN to E-UTRAN in handover mode. 


13.6.2 Between E-UTRAN and GERAN 


Interworking between E-UTRAN and GERAN is to ensure backward capability from LTE 
to GSM (GPRS). 


13.6.2.1 Idle Mode 
Similar to interworking between E-UTRAN and UTRAN, interworking from E-UTRAN to 
GERAN also supports cached context and mapped context. 


e Cached context: If UE has cached valid SGSN security context, it sends LAU request 
together with P-TMSI and KSI to SGSN. Keys indicated by KSI shall overwrite the ones 
in the target SGSN. If no valid cached security context is available in the network, then 
an AKA shall be initiated. 

e Mapped context: If UE does not have cached SGSN security context, it also sends LAU 
request together with P-TMSI and KSI to SGSN. However, this P-TMSI is mapped from 
GUTI, and KSI indicates KSI, ¢,. MME shall transfer UE’s UTRAN and GERAN scrutiny 
capabilities as well as CK’ and IK’ with KSI, 5,,, to SGSN. Keys from MME shall replace 
the ones in the target SGSN. 


Interworking process from GERAN to E-UTRAN is the same as the process from GERAN 
to E-UTRAN. Please refer to Section 13.6.1 for more information. 


13.6.2.2_ Handover Mode 

The interworking process in handover mode from E-UTRAN to GERAN is similar to the 
process from E-UTRAN to UTRAN. MME derives CK’ and IK’ from K,sy,, and transfer 
them to the SGSN. SGSN derives K, (ciphering key in GERAN) from CK’ and IK’. In 
the meantime, MME shall also transfer UE’s UTRAN and GERAN security capabilities 
to SGSN. It is SGSN’s responsibility to select the encryption algorithm to use in GERAN 
after handover. Note that GERAN does not support integrity. Figure 13.29 illustrates 
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interworking process from GERAN to E-UTRAN. BSS sends relocation request to SGSN. 
SGSN forwards the request to MME. Then, MME selects the NAS security algorithms 
and the K,xy,. The information is included in a relocation request sent from MME to the 
target eNB. eNB shall select the RRC and UP algorithms and reply to MME a relocation 
acknowledgment with the algorithm indication. Once the acknowledgment is received 
by MME, it sends a relocation response to SGSN with the selected NAS, UP, and RRC 
algorithms. SGSN shall transfer those algorithms to BSS through a specific message. A 
transparent container that includes handover command, NONCEyyp and KSIggsy is 
created by eNB and transferred to the target BSS. UE is informed with the algorithms and 
other information through the handover command. The rest of the process is the same as 
that from UTRAN to E-UTRAN. 


13.7 Summary 


In this chapter, LTE security is illustrated. LTE architecture is developed from UMTS sys- 
tem, thus several security mechanisms are carried over with modifications, especially the 
AKA protocol. The major difference between LTE security and the previous generation is 
that LTE separates control plane and user plane. More keys are involved in LTE security to 
serve the more complicated system. Several security algorithms have been proposed and 
implemented to protect LTE security. Algorithms such as AES and ZUC are applied as 
core to LTE security algorithms EEA and EIA. Moreover, LTE also provides security for 
interworking with legacy systems as well as non-3GPP access. LTE has a strong security 
implemented comparing with the previous generation system. LTE will continue to serve 
as an important part with the next generation wireless system. Even although LTE has been 
deployed for a few years already, it is still necessary to continue enhancing the security. 
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Security in 5G Wireless Networks 


The fifth generation (5G) wireless network systems are the next generation mobile 
wireless telecommunications beyond the current fourth generation (4G)/International 
Mobile Telecommunications (IMT)-Advanced Systems [117]. The advanced features of 
the 5G wireless network systems bring new security requirements and challenges. Since 
5G wireless network systems are still under development, this chapter introduces the 
current solutions and research results on security of 5G wireless network systems. 


14.1 Introduction to 5G Wireless Network Systems 


14.1.1 The Advancement of 5G 


The 5G wireless network systems (interchangeable with 5G systems for the rest of this 
chapter) are more than a direct improvement over the legacy 4G cellular networks. The 
new systems will include several advanced features to support demanding services [118]. 
As listed in Table 14.1, the 5G wireless network systems will have huge improvement in 
communication bandwidth, transmission latency, coverage, and energy efficiency (EE). 
The advanced features are introduced to better support the implementation of high- 
density mobile broadband networks, device-to-device (D2D) communications, massive 
machine-type communications, low-latency and low-energy Internet of things (IoT), 
vehicular communication networks, and many other types of applications [119-121]. 
Various new technologies have been developing to support all the advanced features of 
5G systems [122]. The most significant ones include heterogeneous networks (HetNets), 
massive multiple-input multiple-output (MIMO), millimeter wave (mmWave) [123], 
D2D communications [124], software defined network (SDN) [125], network functions 
visualization (NFV) [126], and networking slicing [127]. A generic architecture of 5G 
systems is shown in Figure 14.1. As it shows, 5G systems can provide not only traditional 
voice and data communications, but also many new use cases, such as vehicle-to-vehicle 
and vehicle-to-infrastructure communications, industrial automation, health services, 
smart cities, smart homes, critical services, and many other new industry applications, as 
well as a multitude of devices and applications to connect society at large [128-130]. 


Security in Wireless Communication Networks, First Edition. Yi Qian, Feng Ye, and Hsiao-Hwa Chen. 
© 2022 John Wiley & Sons Ltd. Published 2022 by John Wiley & Sons Ltd. 
Companion website: www.wiley.com/go/qian/sec51 
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Table 14.1 Advanced features of 5G wireless systems. 


High data rate 1-10 Gbps connections to end points in the field 
Low latency 1 ms latency 

Large connectivity 10-100 times the number of connected devices 
High availability 99.999% availability 

High energy efficiency | 90% reduction of network energy usage 


Source: Based on GSMA Intelligence [119]. 
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Figure 14.1 A generic 5G wireless system. 


14.1.2 5G Wireless Network Systems 


The standardization process for 5G wireless systems is in progress. 5G systems certainly 
introduce new perspectives and changes to legacy systems. In a 5G wireless network, user 
equipment (UE) and services are not limited to traditional mobile phones, voice and data 
services. More than 70 different use cases are included in user interface. The use cases are 
classified into four different groups by 3GPP. The four groups are: massive IoT, critical com- 
munications, network operation, and enhanced mobile broadband [131]. 

Figure 14.2 shows a general 5G wireless network system [132]. The radio access network 
in a 5G wireless network combines virtualization, centralization, and coordination tech- 
niques for efficient and flexible resource allocation. In addition to 3GPP access (e.g. LTE) 
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Figure 14.2 A general 5G wireless network system. Source: Fang et al. [132]. 


and non-3GPP access (e.g. CDMA and Wi-Fi), new radio access from certain user cases will 
also be supported for efficient spectrum utilization. Moreover, there are several new tech- 
nologies, such as massive MIMO, HetNet, and D2D communications, to be deployed to the 
access network to improve the network performance. The core of 5G systems will inherit 
the LTE and evolved packet core (EPC) in the first stage of implementation. In later stages, 
eEPC will be virtualized with network slicing, SDN, and NFV implementation to be flexible 
and service-oriented for different use cases. The virtualized evolved packet core (VEPC) is 
expected to be access-independent by fully separating control plane and user plane for flexi- 
bility and scalability. Different types of cloud computing will be supporting the VEPC. Edge 
cloud is distributed to improve the service quality. Central cloud can implement global data 
share and centralized control. 


14.2 5G Security Requirements and Major Drives 


The new architecture, new technologies, and new use cases in 5G systems, nonetheless, 
will bring new challenges to security and privacy protection [133]. 


14.2.1 Security Requirements for 5G Wireless Networks 


The security requirements of 5G wireless networks are widely discussed among the com- 
munities [120, 127, 134]. 5G wireless networks need to be backward compatible to legacy 
LTE security. For example, mutual authentication and user traffic encryption are pro- 
vided between UE and base station; key hierarchy and handover key management are 
provided to secure access and mobility management in legacy LTE. 

In addition to those have been applied to legacy LTE systems, new security mechanisms 
are needed to comply with the overall 5G advanced features such as low latency and high 
energy efficiency [135]. As shown in Table 14.2, 5G wireless networks will be service- 
oriented that emphasize on security and privacy requirements regarding to corresponding 
services [133]. Due to the rapid increase of network capacity and number of user devices, 
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Table 14.2 Security requirements for 5G wireless networks. 


Improve resilience and availability of the network against 
signaling based threats including overload caused maliciously or 
unexpectedly 


4G compliance Specific security design for extremely low latency 


Comply with security requirements defined in 3GPP 4G standards 


Provide Public Safety and Mission Critical Communications 
(resilience and high availability) 


5G network traffic Be resilient to significant changes in network traffic patterns 


Improve system robustness against smart jamming attacks 


5G radio access ; 
Improve security for 5G small cell nodes 


Improve overload controls to mitigate possible attacks from huge 


5G signaling plane number of compromised M2M/IoT devices 


5G user plane Possible integrity protection to user plane data in special cases 


5G security measures | Possible mandates on security measures in 5G wireless networks 


5G network traffic can suffer from sudden and significant changes in network traffic 
pattern. It is required for 5G security to be resilient to those significant changes. Security 
of the 5G radio access requires to consider small cell nodes in the design. Also, 5G 
radio access needs to be robust against smart jamming attacks. Moreover, huge number 
of compromised machine-to-machine (M2M) and IoT devices may bring down the 5G 
signaling plane. Therefore, overload controls must be improved to mitigate the possible 
effects. Some special cases in 5G wireless networks such as battery power IoT devices or 
low latency 5G devices may not afford application level integrity protection. Protection can 
be added by providing integrity to the 5G user plane. However, most user cases should rely 
on upper layers to provide data integrity. Moreover, it may be helpful to mandate the use 
of security measures in 5G wireless networks to mitigate hazards due to the optional 
implementation in the legacy LTE systems. 


14.2.2 Major Drives for 5G Wireless Security 


There are three major drives for 5G wireless security: supreme built-in-security, flexible secu- 
rity mechanisms, and automation, as illustrated in Figure 14.3. 


14.2.2.1 Supreme Built-in-Security 

Security must be considered as an integral part of the overall architecture and from the 
very beginning of 5G wireless network systems design. On one hand, security require- 
ments introduced from new use cases and new technologies need to be addressed in 5G 
security design [136]. For example, HetNet in 5G systems may need delay sensitive and 
frequent authentications due to complex network structures [137]. SDN and NFV in 5G 
systems will support new service delivery models and thus require new security aspects 
[138, 139]. On the other hand, new technologies also introduce new security approaches in 
5G system design. For example, massive MIMO in 5G systems is considered effective against 
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Figure 14.3. Major drives for 5G wireless security. 


eavesdropping with proper implementation [140]. SDN and NFV certainly introduce more 
flexible and power software implementation of security mechanism in 5G systems. 


14.2.2.2 Flexible Security Mechanisms 

Security of more than 70 use cases must be supported in 5G wireless networks. Thus trust 
models in 5G systems needs to be refreshed from the one used in legacy LTE systems. 
As shown in Figure 14.4, the trust models are enabled between users/services, and 
users/networks, while trust models are extended to services/networks in 5G systems [133]. 
Security mechanisms design must be flexible for vertical industries use cases [141]. 
For instance, mobile devices require relatively lightweight security mechanisms due to 
power constraint. High-speed services also require efficient security services due to latency 
requirements. Moreover, the authentication management in 5G systems is more complex 
due to various types and massive number of connected devices. 


14.2.2.3. Automation 

Automated and intelligent security controls need to be combined with automated holistic 
security management in 5G wireless security [135]. Automation in 5G systems may intro- 
duce more challenges since services closely interact to each other. For example, the fixed 
telephone line, Internet access, and TV service could be interrupted simultaneously given 
an outage of a major network [133]. Moreover, privacy needs extra attention in 5G wireless 
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Figure 14.4 Trust models of 4G and 5G wireless networks. 
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security design since more personal information would be appeared to network and service 
management. 


14.2.3 Attacks in 5G Wireless Networks 


Security attacks in wireless networks can be classified into passive and active ones. Passive 
attacks tend to make use of the information from legitimate users, while not altering active 
communications. Active attacks can involve modification of the data, and/or interruption 
of legitimate communications. Figure 14.5 illustrates four typical attacks at physical (PHY) 
and medium access control (MAC) layers in 5G wireless networks. 


14.2.3.1 Eavesdropping and Traffic Analysis 

Eavesdropping is a passive attack that uses an unintended receiver to intercept messages 
by tapping into communication channels, as shown in Figure 14.5a. Due to the nature of 
wireless communications, eavesdropping can be easily deployed, whereas detection of such 
attack is rather difficult. Traffic analysis is another type of passive attack that intends to 
intercept information such as location and identity of the communication parties by ana- 
lyzing the traffic of the received signal without understanding the contents carried by the 
signal. 


14.2.3.2 Jamming 

Jamming is an active attack that tends to disrupt on-going communications between legit- 
imate users, as shown in Figure 14.5b. Such attack is conducted by generating high inter- 
ference in the communication channel thus normal transmission cannot be identified at 
the receiver side. In some MAC layer protocols, e.g. carrier sense multiple access-collision 
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Figure 14.5 PHY/MAC layer attacks in 5G wireless networks. (a) Eavesdropping and traffic 
analysis. (b) Jamming. (c) DoS and DDoS. (d) Man-|In-The-Middle. 
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avoidance (CSMA/CA), jamming attack may block authorized users from accessing radio 
resources. 


14.2.3.3 DoS and DDoS 

DoS and DDoS are active attacks that tend to exhaust resources from legitimate users and/or 
network systems, as shown in Figure 14.5c. Success of a DoS/DDoS attack can compromise 
the availability of 5G wireless networks, posing threats to both operators and users [134]. 
A DoS/DDoS attack against the network infrastructure can strike the signaling plane, user 
plane, management plane, support systems, radio resources, logical, and PHY resources. 
A DoS attack against device/user can target on battery, memory, disk, CPU, radio, actuator, 
and sensors. Currently, detection is mostly used to recognize DoS and DDoS attacks. 


14.2.3.4 Man-In-The-Middle (MITM) 

MITM is an active attack that tend to intercept, modify, and replace communication mes- 
sages between the two legitimate users, as shown in Figure 14.5d. Success of an MITM 
attack may compromise data confidentiality, integrity, and availability of the 5G wireless 
networks. In a legacy cellular network, false base station based MITM forces a legitimate 
user to create a connection with a rogue base transceiver station [142]. Mutual authentica- 
tion between the mobile device and the base station is normally used to prevent the rogue 
base station based MITM. 


14.3  A5G Wireless Security Architecture 


A new security architecture is needed in 5G networking paradigms [143]. New elements 
will be added to achieve all those required security services. 


14.3.1 New Elements in 5G Wireless Security Architecture 


Typical new elements at the control plane of 5G wireless security architecture are cloud 
based computing systems. As shown in Figure 14.6, the newly added computing systems 
are edge clouds and a central cloud. Edge clouds are applied to improve the network perfor- 
mance by reducing the communication delay. Central cloud connects the edge clouds for 
data sharing and centralized control. 
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Figure 14.6 Elements in a 5G security architecture. 
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The 3GPP Technical Report (TR) 23.799 defines the major network functions at the 
control plane of the VEPC of 5G systems [144]: 


e Access and mobility management function (AMF): This function is applied to manage 
access control and mobility, similar to mobility management entity (MME) for the 4G 
network. AMF can vary with different use cases in 5G systems. Note that mobility man- 
agement function is not necessary for fixed access applications. 

e Session management function (SMF): This function is set up based on network policy to 
manage sessions. Multiple SMFs can be assigned to a single AMF for each user. 

e Unified data management (UDM): This function manages subscriber data and profiles, 
such as authentication data of users, for both fixed and mobile accesses in VEPC. 

e Policy control function (PCF): This function provides roaming and mobility management, 
quality of service, and network slicing. AMF and SMF are controlled by PCF. Differenti- 
ated security can be provided with PCF. 


14.3.2 A 5G Wireless Security Architecture 


A 5G wireless security architecture is shown in Figure 14.7 [132]. With the new character- 
istics of VEPC, a separation of data plane and control plane of VEPC is proposed, where 
the data plane can be programmable for flexibility. AMF and SMF are integrated in the 4G 
network as MME. The separation of AMF and SMF in 5G can support a more flexible and 
scalable architecture. In the control plane, network functions can be applied based on dif- 
ferent use cases. Similar to the 4G network, four security domains are defined in the 5G 
wireless security architecture. 


14.3.2.1 Network Access Security (1) 

The set of security features that provide the user interface to access VEPC securely and 
protect against various attacks on radio access links. New PHY layer communication 
technologies such as massive MIMO, HetNet, D2D communications, and mmWave are 
applied to the radio access network with new challenges and opportunities in network 
access security. Current research on network access security focuses on providing user 
identity and location confidentiality, user data and signaling data confidentiality, and entity 
authentication. 
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Figure 14.7 A 5G wireless network security architecture. Source: Fang et al. [132]. 


14.4 5G Wireless Security Services 


14.3.2.2 Network Domain Security (Il) 

The set of security features that protect against attacks between access network and VEPC 
for secure signaling data and user data exchange. New security vulnerabilities introduced 
by technologies such as cloud computing, network slicing and NFV need to be addressed 
in this domain. Nonetheless, the separation of control plane and user plane can greatly 
reduce the overhead from signaling data synchronization. Entity authentication, data 
confidentiality, and data integrity are the main security services in this level. With the 
independent characteristics of access technologies of AMF, the network domain security 
performance can be simplified and improved. 


14.3.2.3 User Domain Security (III) 

The set of security features that provide mutual authentication between the user interface 
and VEPC before the control plane access to the user interface. Based on each use case, 
the authentication may be needed for more than two parties. For example, the authentica- 
tion can be required between a user and network operator as well as between a user and 
application service provider. Moreover, different service providers may need to authenticate 
each other to share the same user identity management. Compared with the device-based 
identity management in legacy cellular networks, new identity management methods are 
needed to improve the security performance. 


14.3.2.4 Application Domain Security (IV) 

The set of security features that ensure the security message exchange between applications 
on the interfaces, between user interface and service provider, as well as between a user and 
the network operator. 


14.4 5G Wireless Security Services 


14.4.1 Cryptography in 5G 


Cryptography will be used to 5G security services including authentication, availability, 
confidentiality, and key management. Recent development and solutions can be mainly 
divided into two categories: cryptographic approaches with new networking protocols and 
PHY layer security approaches. The cryptographic techniques, both symmetric-key and 
public-key based, are commonly deployed at the upper layers of the 5G wireless networks 
for new networking protocols. The performance of a cryptography-based security service 
depends on the key length and computational complexity of the corresponding algorithms. 
Key management of symmetric key algorithms is well designed in the traditional cellular 
networks. Due to heterogeneous architecture and various access networks, 5G systems 
require a re-visit to key management designs in the new protocols [132]. In comparison, 
PHY layer security has relatively low computational complexity and high scalability [145]. 
Different from cryptographic algorithms, security performance on PHY layer security is 
evaluated based on secrecy capacity and secrecy outage probability. 
As shown in Figure 14.8, the secrecy capacity C, is defined as: 


C,= Cu — Cos (14.1) 
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Figure 14.8 Channel capacities in PHY layer security. 


where C,,, is the main channel capacity of the legitimate user, and C, is the channel capacity 
of the eavesdropper. The secrecy outage probability is an extension of the secrecy capacity 
by computing the probability of an instantaneous C, being less than a target secrecy rate 
R,, Le. 


Pout = P(C, < R,). (14.2) 


Besides these two metrics, transmission power can also be involved. For example, 
secrecy energy efficiency can be defined as the ratio of C, to the corresponding power 
consumption [146]. 


14.4.2 Identity Management 


In the 4G cellular networks, the identity management is device-based, through the univer- 
sal subscriber identity module (USIM) cards. However, USIM cards may not be available to 
devices such as IoT sensors and smart home controllers in 5G systems. Therefore, the UDM 
in 5G devices will handle the identity management based on cloud. Moreover, anonymity 
service is required in many use cases in 5G wireless networks. Therefore, the identity man- 
agement will be different in 5G wireless networks compared with that in the 4G networks. 
New identity management is required. Based on the characteristics of the use cases, differ- 
ent identity managements can be applied as shown in Table 14.3. 

The 5G system user-based identity management will be more efficient to let the user 
determine what devices are allowed to access the network and services. One user may have 
multiple device identities. Besides only considering the device identity, service identity 
can be added with device identity as device and service identity management. The device 


Table 14.3. Identity management in 5G wireless 
networks - from USIM to UDM. 


USIM | Device-based identity management 


U 


Device-based identity management 


User-based identity management 


UDM | Device and service identity management 


User-based and service identity management 


Federated identity management 
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identity is unique and service identity can be assigned by a service provider in certain 
session. With service identity, revocation process will be simplified. Moreover, for the 
trusted service providers, federated identity management can be applied to simplify the 
identity management and also improve the user experience. The identity management in 
5G wireless networks is not unified for all use cases. 


14.4.3 Authentication in 5G 


Authentications in the legacy cellular networks are normally symmetric-key based. 
For example, the UMTS and LTE systems provide mutual authentication between a 
mobile station and the network. The authentication also includes a key generation and 
distribution process. Besides supporting the legacy systems, 5G authentication must also 
be flexible with new technologies to support many use cases. 


14.4.3.1 Flexible Authentication 

In the legacy cellular networks, mutual authentication is applied between a user and 
the network. However, the authentication between a user and the services provider 
is not implemented by the network. In 5G wireless network systems, some use cases 
may require both the service provider and network provider to carry out authentication 
with the users. Therefore, 5G wireless networks require flexible authentication to meet 
security requirements while satisfying the quality of services requirements. As shown in 
Figure 14.9, the authentication mechanism in 5G systems is selected based on UE, access 
technique, service requirement, and security requirement. 

The chosen mechanism leads to the choices of trust model and cryptographic function. 
The input information can be included in the PCF, which then controls the AMF in the 
VEPC to perform the authentication procedure. Although non-3GPP access is supported in 
legacy LTE systems, a full authentication and key agreement (AKA) is required once a user 
changes the access technology. In the 5G security architecture, a full AKA can be skipped 
during access technology switching, thus to provide more efficient AKA in 5G systems. 


14.4.3.2 Authentication Through Legacy Cellular System 
Initially, a user needs to be associated to 3GPP access in a 5G system for seamless sup- 
port from legacy cellular networks (e.g. LTE, UMTS). The initialization process is to verify 
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Figure 14.9 Authentication mechanism selection. 
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Figure 14.10 Authentication based on legacy security architecture. 


identity and achieve key agreement. A user may also be initialized through a legacy system 
directly. 

Based on the LTE security architecture, the authentication vector is generated at home 
subscriber server (HSS) and is then transmitted to MME, as shown in Figure 14.10. 
However, in the 5G security architecture, authentication vector can be generated at AMF 
to reduce the overhead of communications and to reduce the risk to expose the Ky oy, and 
expected response (XRES). With the flexibility of network functions, AMF and UDM can 
be widely distributed to handle the authentication of a massive number of user devices. 
Nevertheless, due to the coupled control plane and user plane, MME and HSS have limited 
scalability. If the authentication is initialized in 5G systems through 3GPP access, the AKA 
process is implemented through AMF and UDM in 5G VEPC, as shown in Figure 14.11. 
Since AMF and UDM are both in the control plane, the overhead for information exchange 
between AMF and UDM is negligible compared with the overhead between entities such 
as MME and HSS. 
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Figure 14.11 Authentication based on the 5G security architecture. 
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14.4.3.3. SDN Based Authentication in 5G 

SDN in the core network of 5G systems not only provides enhanced data transmission 
performance, but also introduces new approaches to authentication. An example of 
SDN enabled authentication model is shown in Figure 14.12. Thanks to the optimal 
processing power allocation and information exchange, SDN controller can provide fast 
authentication to support low latency requirement of 5G systems [147]. For example, 
weighted secure-context-information (SCI) in SDN can be applied as a non-cryptographic 
security technique to improve authentication efficiency during high frequent handover in 
a 5G HetNet. PHY layer attributes provide unique fingerprint of the user and to simplify 
authentication procedure. The fingerprint can be based on multiple user-specific PHY 
layer attributes. The validated original attributes are obtained after a full authentication. 
The observations are collected through constantly sampling multiple PHY layer attributes 
from the received packets at the SDN controller. Both the original file and observation 
results contain the mean value of the attributes and variance of the chosen attributes. 
Then the mean attribute offset can be calculated based on the validated original attributes 
and observed attributes. If the attribute offset is less than a pre-determined threshold, 
the UE is considered legitimate. After the first full authentication in one cell, it can be 
readily applied in other cells with MAC address verification, which only needs local 
processing. Moreover, full authentication can even be done without disrupting the user 
communications. A valid time duration parameter can be used to flexibly adjust the secure 
level requirement. Compared with the digital cryptographic authentication methods, it 
is hard to compromise the SDN based method completely due to the user-inherent PHY 
layer attributes. Typically, there are more than one PHY layer characteristics used in SCI to 
improve the authentication reliability for applications requiring a high level of security. 


SDN controller 


2. Secure context transfer | 


3. Fast authentication | 


1. Full authentication 


Small cell Small cell 


Figure 14.12 An SDN enabled authentication model. 


293 


294 


14 Security in 5G Wireless Networks 


14.4.3.4 Authentication of D2D in 5G 
5G systems need to provide authentication of D2D communications. In some cases, D2D 
authentication utilizes simple algorithm and techniques due to limited bandwidth and 
energy of the devices. For example, cyclic redundancy check (CRC) based hash functions 
can be applied to detect double-bit errors in a given message [148]. Linear feedback shift 
register (LFSR) can be used to implement the CRC. The message authentication algorithm 
outputs an authentication tag based on a secret key and the message. It is assumed that the 
adversary has the family of hash functions but not the particular polynomial g(x) and the 
pad s that are used to generate the authentication tag. The generator polynomial is changed 
periodically at the beginning of each session and pad s is changed for every message. 
The new family of cryptographic hash functions based on CRC codes with generator 
polynomials g(x) = (1+x)p(x) are introduced, where p(x) is a primitive polynomial. 
The proposed CRC retains most of the implementation simplicity of cryptographically 
non-secure CRCs. However, the applied LFSR requires re-programmable connections. 
New techniques such as a security-scoring based continuous authenticity may be applied 
to 5G D2D authentications [149]. The principle of legitimacy patterns is proposed to 
implement continuous authenticity, which enables attack detection and system security 
scoring measurement. For the legitimacy pattern, a redundant sequence of bits is inserted 
into a packet to enable the attack detection. The simulation results show the feasibility of 
implementing the proposed security scoring using legitimacy patterns. Moreover, legiti- 
macy patterns considering technical perspectives and human behaviors could improve the 
performance. 


14.4.3.5 Authentication of RFID in 5G 

Radio frequency identification (RFID) can be widely integrated to applications in 5G 
systems. Due to hardware constraints in low-cost RFID tags, authentication mecha- 
nisms applied to RFID systems have been simple and efficient, mainly based on hash 
functions. The existing RFID authentication models may be applied directly to 5G use 
cases. However, authentication revocation process needs to be much improved because 
5G use cases may involve frequency handover between different access networks as well 
as high-speed mobility. An example of authentication and revocation process of RFID 
secure applications in 5G systems is shown in Figure 14.13. The whole process is based 
on a typical challenge-response mechanism using hash function [150]. To authenticate 
or revoke a tag i, the reader generates a random number r, through a pseudo-random 
number generator (PRNG). The random number r, is sent together with an authentication 
request q to the tag. Upon receiving the request, the tag generates a random number 
r, and computes two hash values H(D,|||l"q|IIlr,) and A‘K;,|I|Ir)llll7,), and a piece of 
authentication information F = E © K; i where E£ is the status flag that is used to indicate 
an authentication or revocation process. The reader forwards all messages to the server for 
verification. Depending on the status flag E, the server authenticates or revokes the tag. 
A hash value H(ID;||||K;;|l|l7,, |Ill7,) is computed as the final confirmation message. 


Note that (IDS, ID;) are issued from the server to describe the public identity of tag i. 
Besides, a pre-shared key Kj; is also issued from the server for tag i. In practice, K;; 
includes a pair of keys, i.e. Giant ty) to be used during seamless handover. 
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Figure 14.13 An authentication and revocation process of RFID secure applications. 


14.4.4 Data Confidentiality in 5G 


Data confidentiality service is commonly required to tackle eavesdropping attacks. In the 
legacy systems, cryptographic methods are used for implementing data confidentiality by 
encrypting data with secret keys. In most cases, symmetric key cryptography is adopted 
for data encryption, while public-key cryptography is applied to key distribution. Crypto- 
graphic approaches will continue playing an important role in the 5G wireless networks. 
Moreover, new methods will be implemented to ensure confidentiality. This section will 
focus on introducing the new implementations in PHY layer security, including power con- 
trol, artificial noise, and signal processing. 


14.4.4.1 Power Control 

As mentioned earlier in PHY layer security, an eavesdropper relies on leaking capacity 
C, from legitimate channel to recover useful information. A transmitter can set its trans- 
mit power to suppress C,. In 5G systems, a transmission can involve more than a pair of 
transmitter and receiver due to its heterogeneous structure. As illustrated in Figure 14.14, 
a cooperator/relay can be involved in a legitimate transmission. In practice, the number 
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of transmitters, receivers, cooperators/relays can vary depending on use cases. With the 
involvement of cooperator/relay, power control is to achieve two security goals as follows: 


(1) Maximize the secrecy rate for sender, i.e. the higher rate of the transmissions 
with/without routing through the cooperator/relay. Without loss of generality, it can 
be represented as: 


C, = max{C, — C},min{C, — C),C, -— C3}}, (14.3) 


where C,, C,, C; are legitimate channel capacities; C|, C),, C, are eavesdropping capac- 
ities. Note that processing delay from a cooperator/relay is neglected for simplicity. 

(2) Maximize the secrecy rate for cooperator/relay, i.e. the higher rate of the transmissions 
with/without routing through the sender. Similarly, it can be represented as: 


C, = max{C, — Cj, min{C, — C),C, — C}}}. (14.4) 


By selecting the route with a higher secrecy rate, the cooperator/relay may or may not be 
involved in a transmission. As shown in Figure 14.15, a typical 5G D2D scenario includes 
one base station, a number of cellular users, and one D2D link. To protect legitimate user 
from possible eavesdroppers, the secrecy rate based utility of each cellular user i can be 
computed as: 


U,; = log,(1 + O,;) + aBph, (14.5) 


where 0,; indicates the signal-to-interference plus noise ratio (SINR) of cellular user i; a 
is the price factor, f is the scale factor; p is the transmit power of the D2D user; and h is 
the channel gain from the D2D user to cellular users. In this utility function, log,(1 + 6,;) 
is the data rate of the cellular user, and afph compensates the interference from the D2D 
link. Similarly, the secrecy rate based utility of each D2D user can be computed as: 


u, = [log,(1 + 6,) — log,(1 + @,)] — aph. (14.6) 


The utility function of D2D user includes the secrecy data rate and the payment for the 
interference to cellular users. A Stackelberg game can be formed to maximize the utilities 
for both cellular users and D2D users. The game strategy of cellular users depends on the 
price factor a and game strategy of D2D user depends on the transmission power P,. The 
Stackelberg game is formed to maximize cellular utility function at the first stage and then 
the utility function of D2D user at the second stage [151]. 


Figure 14.15 The system model 


— Cellular link —#— Interference with D2D link and an eavesdropper. 
<> D2D link-  _“=-=--=+ > Eavesdropping Source: Modified from Luo et al. 
[151]. 

«)<—__ [| _— | R 

) Cellular user af S 
gs —> 
LQ | a 
Base station D2D user D2D user 


Cellular user 


14.4 5G Wireless Security Services 


14.4.4.2 Artificial Noise and Signal Processing 

Artificial noise can be introduced to secure the intended signal transmission. For example, 
an association policy can be set such that a random eavesdropper cannot reach its receiving 
SNR threshold, while legitimate users have maximized secrecy probability [137]. Moreover, 
if a sender has multiple antennas, then single-antenna eavesdroppers can be mitigated in a 
mm-Wave system if partial channel state information of the eavesdropper is known [152]. 
However, artificial noise increases power consumption and thus requires special design 
for energy efficiency [146]. Special signal processing may protect the system from eaves- 
droppers without increasing power consumption. For example, in the original symbol 
phase rotated secure transmission scheme [153], the base station randomly rotates the 
phase of the original symbols before transmission. Thus only legitimate users can correctly 
receive the symbols. Non-orthogonal multiple access (NOMA) is another technology 
that can protect a transmission system from eavesdroppers [154]. Moreover, massive 
MIMO introduces more possibilities in signal processing to protect the system against 
eavesdroppers [140]. 


14.4.5 Handover Procedure and Signaling Load Analysis 


Handover processes are more complex in 5G systems due to the integration of 3GPP access, 
non-3GPP access, and new radio access. In the 5G security architecture [132], a user is 
associated to an AMF, which is independent from different access technologies. Therefore, 
a user would be able to switch between multiple access technologies handled by the same 
AMF. No authentication will be needed by switching to different SMF for a new session and 
a new IP address allocation. A general overview of handover scenarios in a two-tier HetNet 
model is shown in Figure 14.16. 

As shown in Figure 14.17, a handover in the 5G wireless security architecture requires 
a session key and IP address updates through a data update process between the AMF 
and SMFs. The entire process is seamless since the communication latency between 
AMF and SMF can be neglected compared with the communication latency from MME 
to HSS. Besides the fast processing between AMF and SMFs, the signaling overhead 
is much lower in the 5G wireless security architecture compared with the legacy cel- 
lular system due to the full separation of control plane and user plane, as indicated 
in Figure 14.18. To satisfy certain latency requirement, the number of gateway nodes 
needs to be increased by a factor of 20-30 times of the current deployment [155]. On the 
positive side, gateways can be distributed in a flexible way because of the plane separation. 
Therefore, for the new core network based on control and user plane separation, the 
signaling load can be significantly reduced. 


14.4.6 Availability in 5G 


A reliable 5G system needs to enhance its availability, especially against jamming 
attacks in the wireless networks. There is hardly a protection fighting back jamming 
attacks. Nonetheless, anti-jamming schemes seek to avoid jammed channels by using 
frequency-hopping techniques, i.e. to hop over multiple channels for one transmission. 
For example, software defined radios can be used for secret adaptive frequency hopping in 
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Figure 14.16 Handover scenarios in a two-tier HetNet model. 
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Figure 14.19 A pseudorandom time hopping system block diagram. 


5G systems [156]. Bit error rate (BER) can be estimated based on PHY layer information 
to decide frequency blacklisting under DoS attack. However, since the frequency hopping 
technique requires that users have access to multiple channels, it may not work efficiently 
for dynamic spectrum access users due to the high switching rate and high probability 
of jamming. Pseudo-random time hopping may be applied as anti-jamming schemes for 
cognitive users in 5G systems [157], as shown in Figure 14.19. The jamming probability 
relates to delay performance and error probability. The jamming probability is lw when 
the jammer lacks the access opportunities. Switching probability of time-hopping system 
outperforms the frequency-hopping system. With the same average symbol energy per 
joule, time-hopping has a lower error probability than that of frequency-hopping, and 
the performance gain saturates at a certain symbol energy level. The pseudorandom 
time-hopping technique is a strong candidate for D2D links in 5G wireless networks due 
to its good energy efficiency and spectrum efficiency performance as well as its capability 
in providing jamming resilience with a small communication overhead. However, a pre- 
shared key is required for the time-hopping anti-jamming technique. 

Although most jamming attacks are detectable because of the active nature, some 
attackers may wish to hide their locations from being detected by legitimate users. In those 
cases, a jamming attacker is assumed to have only limited power and computing resources, 
similar to user nodes. To deal with such jamming attacks, an possible approach can be 
optimal resource allocations such that the attacker cannot allocate its power properly to 
jam legitimate users without being detected. For example, a fusion center may be applied to 
process resource allocations against such jamming attacks [158], as shown in Figure 14.20. 
Specifically, a non-cooperative Colonel Blotto game is formulated between the attacker 


Figure 14.20 The resource — > Bandwidth allocation Fusion center 
allocation model. —— Detected feedback 
— —) Interference 


~U & 


--cp 8 


Jammer 


299 


300 


14 Security in 5G Wireless Networks 


and the fusion center as an exercise in strategic resource distribution. The fusion center 
can allocate more bits to these nodes for reporting the measured interference. A hierarchal 
degree is assigned to each node based on its betweenness centrality [159]. Once the attack 
is detected, the fusion center will instruct the target node to increase its transmit power to 
maintain a proper SINR for normal communications. 


14.4.7 Location and Identity Anonymity in 5G 


5G wireless networks raise serious concerns on privacy leakage when supporting more and 
more vertical industries such as mobile-health care and smart transportations [133]. The 
data flows in 5G wireless networks carry extensive personal privacy information such as 
identity, position, and private contents. In some cases, privacy leakage may cause serious 
consequences. Depending on the privacy requirements of the applications, privacy protec- 
tion is a big challenge in 5G wireless networks. One approach to protect location and prefer- 
ences of a user in HetNets can be properly selecting access point based on a matching game 
framework that is established to measure the preferences of mobile users and base stations 
with PHY layer system parameters [160]. In particular, differentially private Gale-Shapley 
matching algorithm can be applied with utilities of mobile users and access points defined 
as packet success rate in the game framework. Identity protection in 5G systems can be 
extended from the temporary identity used in legacy cellular systems. For example, contex- 
tual privacy can be achieved for both data and identity protection in mobile-health [161]. 
In particular, the identity of the source client is encrypted by a pseudo identity of the 
source client with the public key of the physician using certificateless encryption mode. 
Meanwhile, the identity of the intended physician is also encrypted with the public key of 
the network manager. Through these two encryption steps, the contextual privacy can be 
achieved. 


14.5 5G Key Management 


14.5.1 3GPP 5G Key Architecture 


Key management supports the establishment and maintenance of keying relationships 
between authorized parties, where the keying relationship is the way common data is 
shared between communication entities. The common data can be public or secret keys, 
initialization values, and other non-secret parameters. Figure 14.21 shows the 5G key 
hierarchy defined by 3GPP in Release 16 [162]. A long term secret key K is pre-installed 
in the Authentication Credential Repository and the Processing Function (ARPF) and 
the USIM. A pair of CK and IK is derived from K, similar to LTE and UMTS systems. 
The key Kyysp is derived by the ARPF to secure communications between UE and ARPF. 
The key Kyysp is passed to Authentication Server Function (AUSF) and UE to derive an 
anchor key Kyp,4p for the Security Anchor Function (SEAF). The key Kay is then derived 
for both the AMF and UE. The AMF further derives four keys from as follows: Ky3ryp is 
used to secure communications between UE and the Non-3GPP Interworking Function 
(N3IWF); Kyasint 2d Kyasenc ate two keys used to protect the integrity and confidentiality 
in non-access stratum (NAS); K,yz is derived to secure communications between gNB and 
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Figure 14.21 5G key hierarchy defined in 3GPP Release 16. 


UE. Finally, the gNB uses K,yp to derive Krrcints Krrcencs Kupint: 204 Kypenc for integrity and 
confidentiality on RRC and UP communications. 


14.5.2 Key Management in 5G Handover 


Figure 14.22 shows the handover key chaining in 5G networks. In a handover process, 
the source gNB (i.e. gNB,) generates a new key Kyc_ran * to be used between gNB, and UE 
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Figure 14.22 5G handover key chaining. 
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either through vertical key derivation or horizontal key derivation. If the gNB, has a pair 
of unused Next Hop (NH) parameter and Next Hop Chain Counter (NCC), i.e. {NH, NCC}, 
then a vertical key derivation is performed as follows: 


Kyo_ran*® = KDF(NH||PCI||ARFCN-DL), (14.7) 


where KDF(-) is a hash based key derivation function; PCI and ARFCN-DL are the PHY 
cell identity and absolute radio frequency channel number-down link of gNB,, respectively. 
If an unused {NH,NCC} pair is not available, then the horizontal key derivation is per- 
formed as follows: 


Kyo-ran* = KDF(K,ygllPCI||ARFCN-DL). (14.8) 


After generating Kyc_ran *» NB, sends {Kycg_pran*, NCC} pair to gNB,. The NCC is the NH 
chaining counter to be included in a handover acknowledgment message and forwarded 
to the UE by gNB,. Once gNB, completes the handover, it shall send a path shift request 
to the AMF. Upon receiving the path shift request, the AMF increments NCC and computes 
a new NH as follows: 


NH* = KDF(KyypllNH). (14.9) 


The new {NH, NCC} pair is sent to gNB, for the next handover process. Note that the initial 
NH is computed as follows: 


NH = KDF(KaypllKgnp)- (14.10) 


On the UE side, since it knows K,jyjp, the first Kp PCI, and ARFCN-DL, it can generate 
the Kyc_ran * at each handover and use the received NCC value to check if the key matches 
with the one used by gNB,. 


14.5.3 Key Management for D2D Users 


Key management for D2D users has been researched in the recent years [161, 163, 164]. In 
a D2D group use cases, there are five security requirements for key management, as listed 
in Table 14.4. A group key management mechanism can be applied [164]. In particular, 
identity-based cryptography (IBC) scheme based on elliptic curve cryptography (ECC) can 
be applied to multicast group communications security. One example of D2D key exchange 
is illustrated in Figure 14.23. The key exchange process is based on Diffie-Hellman (DH) 
scheme. The eNodeB is a trusted party that certifies the authenticity between the two D2D 
users. Private dedicated channels can be established between the eNodeB and each D2D 


Table 14.4 Security requirements in D2D group use cases. 


Forward secrecy Revoke access from users who have left the system 


Backward secrecy | New users shall not hold old keys 


Collusion freedom | Fraudulent users cannot deduce traffic encryption 


Key independence | Keys in one group cannot be discovered with keys in another group 


Trust relationship | Keys are not revealed to other parts in the same domain or other domain 


Source: Based on GSMA Intelligence [119]. 
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Figure 14.23 Example of D2D key exchange protocol. 


user. The process can be simplified by replacing the HMAC function with other check func- 
tions with less complexity [163]. 


14.6 Security for New Communication Techniques in 5G 


5G wireless network systems introduce several new techniques, such as HetNet, massive 
MIMO, D2D, SDN, and IoT. Besides security protection in the core 5G system, researchers 
and engineers have been working on the newly integrated communication techniques so 
that the 5G networks are protected as a whole system. 


14.6.1 Heterogeneous Network and Massive MIMO in 5G 


HetNet is a promising technique to provide blanket wireless signal coverage and high 
throughput in 5G wireless networks. It is a multi-tier system where different charac- 
teristics, such as transmission power, coverage size, and radio access technologies, are 
set for nodes depending on their tiers. With the heterogeneous characteristics, HetNet 
achieves higher capacity, broader coverage and better performance in energy efficiency 
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and spectrum efficiency. In the meantime, the nature of HetNet architecture makes it 
more challenging in several security aspects compared with traditional single-tier cellular 
networks [137, 147]. For example, launching eavesdropping attacks becomes easier 
because of the blanket wireless signal coverage. Frequent handover between small cells 
in HetNet is more challenging and cannot rely on current mechanisms in legacy cellular 
systems. Moreover, accurate location information of a user may cause privacy leakage in 
a HetNet with densely deployed small cells, especially when the conventional association 
mechanism is applied. 

Researchers have proposed to apply coordinated multi-point (CoMP) transmission to 
enhance communication coverage in HetNet. However, CoMP also increases the risk of 
eavesdropping because of the added transmission links. To counter the attack, the points 
chosen for transmission need to be dynamic and carefully designed to guarantee the secure 
coverage probability for users [165]. Moreover, artificial noise can be added to tackle the 
eavesdropping attacks in HetNet. However, a different mobile association policy is needed 
as the received signal power would always be well above noise floor due to artificial noise. 
For example, average received signal power (ARSP) may be applied by comparing its 
value to a pre-set access threshold. In this way, an association is granted only when the 
maximum ARSP exceeds the threshold, meaning that the user is active [137]. Such ARSP 
based association policy can greatly enhance secrecy throughput performance given a 
properly access threshold. 

PHY layer association algorithms, besides data confidentiality, can also be properly 
designed in 5G to protect user location anonymity. On the one hand, the high density of 
small cells could leak more information about a user location. On the other hand, those 
access nodes may cooperate with each other to disguise the user from location disclosure 
to unauthorized users. For example, a differential private Gale-Shapley algorithm may be 
applied [160]. Network intrusion detection system (IDS) is a technique that can be applied 
to the cloud computing systems in 5G HetNet [166]. Several IDS solutions have been studied 
in the network domain, such as signature-based detection, anomaly-based detection, 
specification-based detection, stateful protocol analysis, hybrid intrusion detections. Since 
the cloud computing systems and core network in 5G HetNet follow typical networking 
structure, the existing IDS designs can be extended to support HetNet applications. 

Massive MIMO can greatly enhance energy efficiency and spectrum efficiency to support 
a large number of users simultaneously in 5G systems [153]. Besides, massive MIMO also 
provides new options in security mechanisms. For example, PHY layer security such as 
linear zero-forcing beamforming can be used to secure downlink HetNet communications 
against multiple eavesdroppers [140]. However, active attackers may also utilize massive 
MIMO technology to compromise legitimate communications. The number of antennas 
and beamforming schemes at the base stations need to be carefully designed to suppress 
the impact from the massive MIMO equipment of attackers while maintaining high energy 
efficiency of the 5G systems. 


14.6.2 Device-to-Device Communications in 5G 


D2D devices can communicate with each other without going through base stations. 
Therefore, D2D communications enable efficient spectrum usage in 5G systems. Moreover, 
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Figure 14.24 Eavesdropping in D2D communications. 


D2D communications can effectively offload traffic from base stations. However, the 
dynamic spectrum access used in D2D links can yield security threats in large-scale 
deployment [149]. 

Eavesdropping in D2D communications can be more threatening as it can target multiple 
D2D communications using the same spectrum while being outside normal D2D cover- 
age areas. In Figure 14.24, the D2D receivers on the edge of each D2D coverage area are 
presented as the most vulnerable nodes to eavesdropping. Thus, it is straightforward to 
provide the highest secrecy capacity for those users, such that, 


max 1-Paata?. (14.11) 


sec? 


where r, is the transmitting rate denoted as: r, = W log,(1+ ¢,). W is the bandwidth of 
channels; P,,;, is the probability of a success data link, where the SINR of the D2D receiver 
¢; is higher than a threshold for success eavesdropping T,,; and P,,. is the security probabil- 
ity where the SINR of the eavesdroppers are lower than a threshold T,. Since eavesdropping 
is a passive attack, for simplicity, assume that the eavesdroppers distribute as a homoge- 


neous Poisson point process ®, of intensity 4,. Then P,,,, can be found as: 


Praata — P(d; 2 T,) 


T,olx|I" T,Lilloll* 
= exp( -————_ J E, | exp(-———_) ], (14.12) 
Pj Pj 


where o is the Gaussian noise; J, is the interference at the D2D receiver; Xj is the location 
of the D2D receive; p; is the transmit power of the D2D transmitter. If the exact locations of 
eavesdroppers are unknown, then P,,. can be approximated as: 


A,sinc(6)p° 
Pv =o 1 P(d, < T.)| & exp -—_ ; 
AaTePae 


(14.13) 
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where 6 = 2/a; and p,, is calculated as: 
_ — Leagjxgeo,Pall Xe — Xall™ 
Pae = -—a ° 
Dadinet, I|Xe ~ all . 


If the locations of eavesdropper are known, P/,. can be found by dealing with the eaves- 
dropper that has the highest SINR at location x,, as follows: 


(14.14) 


/ 
Proc 


= P@, < T.) 


a =5 a 
( T,ol1X;—Xell* — tAgPaeTe IIX; — Xell ) 
= 1-exp 


: (14.15) 
Dj sinc(5)p; 


where x, is the exact location of the most dangerous eavesdropper of Rj. In either case, 
the optimal SINR of D2D receivers can be computed to achieve the maximum secrecy 
rates [167]. However, due to the dynamic nature of wireless communication channels, the 
performance of PHY level security could vary. 

The traditional cryptographic mechanisms may not fit D2D communications. For 
example, the proximity service and communication phases for D2D communications 
require a distributed approach for scalability. Typical public key infrastructure and key 
distribution center can hardly keep up with the scalability and dynamic nature of D2D 
communications. Researchers have proposed to apply IBC to D2D communications [164]. 
IBC is to generate the public key of a user based on its identity. In this way, the public 
keys can be generated at any node on demand or beforehand, thus to greatly reduce 
complexity of the system. Key revocation and update can be easily applied in IBC based 
mechanisms. Another way to enhance D2D key exchange involves an base station (e.g. 
eNodeB in legacy LTE systems). The eNodeB participates in the initial key exchange and 
mutual authentication of D2D users. After that, both a public channel and an encrypted 
dedicated channel are established for key exchange in two scenarios, one is traffic offload 
where D2D users are connected to the same eNodeB, and the other is social networking 
scenario where a D2D link is required for the applications of each D2D user [163]. 

Security in D2D communications requires special design in some use cases, such as 
m-health applications, vehicular networks, etc. For example, m-health system requires 
data confidentiality and integrity, mutual authentication, anonymity to anyone except 
intended physician, unlinkability, forward security, and contextual privacy. It also requires 
light weight for mobile terminals with energy and storage constraints and needs to be 
robust enough to fight against threats as part of the keys can be exposed. To address those 
issues, a certificateless public key cryptography may be applied [161]. The private key ofa 
user is generated by both key generator center and the user, which keeps the private key 
unknown to the key generator center. 


14.6.3 Software-Defined Network in 5G 


By decoupling the control plane from the data plane, SDN simplifies centralized control 
in network management. SDN can provide logically centralized intelligence, programma- 
bility, and abstraction to 5G systems to improve scalability and flexibility at relatively low 
costs [125]. Table 14.5 lists the advantages of SDN features, the network applications, 
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Table 14.5 The advantages of SDN security over traditional networks. 


SDN features Application Security use 


Network intrusion detection 
Switch behavior monitoring 
Network forensics 


Centralization Traffic 


Global view monitoring 


Conditional rules Traffic 
statistics collection 


Reactive packet dropping 


Self-healing mechanisms Reactive packet redirection 


Increased control capabilities | Flow-based forwarding | Access control 


and the security use. However, the advanced features of SDN and additional network 
applications also introduce security challenges to 5G systems. The new security issues 
in SDN networks are briefly summarized in Table 14.6. The forwarding plane may suffer 
from DoS attack on network switch due to limited forwarding table and buffering capacity. 
Add more resources can be a straightforward countermeasure to the switch DoS attack. 
Moreover, the required packet encryption and possible tunnel bypassing in the forwarding 
plane will hide header fields from traditional traffic analysis mechanisms. 

Packet type classification may be applied to counter this issue [168, 169]. DDoS attack and 
compromised controller are security issues faced in the control plane mainly due to the cen- 
tralized nature of SDN controller. Dynamic controller assignment and controller replication 
can be applied to reduce the risk of using a centralized controller. The forwarding-control 
link faces man-in-the-middle attack and replay attack due to unencrypted communication 
messages, the lack of authentication, and the lack of time stamping. It is straightforward to 
apply encryption and to include time stamp or nonce in 5G SDN implementation. 


Table 14.6 New security issues in SDN networks and possible countermeasures. 


Security issues Causes Possible countermeasures 
Forwarding plane 

Forwarding table capacity ee rule caching 
Switch DoS Enormous number of flows a . sien . 

Switch buffering capacity Heres’ DULSHLS CapAr iby 

Reduce switch-controller COMM delay 

Packet encryption a . . 
Tunnel bypassing Invisible header fields Packet type classification 
Control plane 

Centralization Controller replication 
DDoS attack Forwarding table capacity Dynamic master controller assignment 

Enormous number of flows | Efficient controller placement 
Compromised is Controller replication with diversity 
controller Centralization Efficient controller assignments 
Forwarding-control link 

Unencrypted COMM MSG | Encryption 
MITM attack Lack of authentication Use of digital signatures 

Unencrypted COMM MSG | Encryption 
Replay attack Lack of time stamping Include time stamp in encrypted MSG 


307 


308 


14 Security in 5G Wireless Networks 


14.6.4 Internet-of-Things in 5G 


One of the major user case of 5G wireless networks will be IoT. Due to the limited computing 
resources of many types of IoT nodes, those advanced security mechanisms in 5G systems 
cannot be utilized properly. Therefore, lightweight mechanisms and relaying/offloading 
need to be optimized for IoT use cases. For example, a fusion center may be involved to 
assist loT nodes locating a jamming attacker [158]. In the process, each IoT node is capa- 
ble of detecting its receiving interference. The decentralized interference measurements are 
collected at the fusion center in regular intervals on a common control channel. The fusion 
center measures the importance of each node with the betweenness centrality of each IoT 
node. A certain level threshold and aggregated received interference power level are used 
to determine whether a jamming attack exists or not. The fusion center can also allocate 
bandwidth to certain nodes to measure the interference level in order to detect the jam- 
ming attack. PHY layer security is one approach to secure IoT communication links with 
lower complexity. By adding a relay, the two-hop transmission can apply power allocation 
and codeword rate design against eavesdropping attacks [170]. Relay nodes with multiple 
antennas can further improve secure coverage and secrecy capacity. Moreover, IoT nodes 
with ultra-simplicity, e.g. RFID tags, are challenging in security protocol design. In partic- 
ular, frequent authentication as well as revocation of RFID tags need to be addressed. 


14.7 Challenges and Future Directions for 5G Wireless 
Security 


With the security designs inherited from the legacy cellular networks, and many newly 
developed security mechanisms, there are still quite a few challenges to be addressed in the 
security for 5G wireless networks. 


14.7.1 New Trust Models 


The trust model in the legacy cellular networks involves user terminals, serving network 
and home network. In comparison, the trust models and authentication in 5G wireless 
security need an improvement to support various uses cases [128]. For some applications, 
there are various types of devices connected to the same network, some may be used only to 
gather data and some may be used only for Internet access. For different security demands, 
the corresponding trust model may have different security requirements. For example, a 
high security level demand may require both password and biometric authentication simul- 
taneously [133]. Nonetheless, some RFID based IoT devices require efficient and frequent 
authentication/revocation [150]. 


14.7.2 New Security Attack Models 


New security attacks will threaten 5G wireless networks mainly due to two factors. First, 
attackers in 5G systems may be equipped with advanced technologies, such as massive 
MIMO, cloud computing resources, etc. Those technologies will greatly increase the threats 
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from attackers. For example, attackers with massive MIMO may eavesdrop with higher 
accuracy from a further distance. Moreover, attackers may even cooperate to each other, 
similar to legitimate user cooperation, to jam D2D transmissions without disclosing their 
locations. Such attacks remain to be explored in 5G systems. Second, more vulnerable 
points will exist in 5G systems due to the new service delivery models applied to SDN and 
NFV [125]. Decoupling software from hardware makes the security of software no longer 
depending on specific security attributes of the hardware platform [128]. Therefore, the 
demands on strong isolation of security for virtualization are ever increasing. Currently, 
network slicing is proposed to provide such isolated security [127]. 


14.7.3. Privacy Protection 


5G wireless networks would need more attention on privacy leakage due to the open net- 
work platforms [133]. Generally speaking, privacy in 5G wireless networks include identity 
anonymity and location anonymity. For the identity privacy, new identity management 
should be considered instead of using only device-based identity management. Location 
privacy can be enhanced if multiple association mechanisms are applied to different use 
cases. In practice, encryption is widely applied to privacy protection in most systems. 
However, encryption may violate other service requirements such as latency and efficiency 
in some 5G use cases. Techniques such as data analysis and machine learning may be 
implemented to enhance efficiency in privacy protection. For example, before the data 
transmission, data analysis can be applied to find out several highly sensitive dimensions 
to reduce the encryption cost with privacy protection. 


14.7.4 Flexibility and Efficiency 


The virtualization based 5G architecture requires flexible security mechanisms to protect 
different applications with dynamic configurations [128]. Moreover, security setup must 
be customized and optimized for each specific application instead of one approach fitting 
all [135]. Besides the flexibility of security architecture and mechanisms, efficiency of 
security is another key factor in 5G wireless networks to meet both the latency and energy 
efficiency requirements [135, 171]. Especially for the nodes with limited computing 
capability and power supply in many IoT use cases. Moreover, distributed authentication 
nodes need to support the fast network access for massive number of devices. 


14.7.5 Unified Security Management 


5G wireless security needs a unified security framework with a common and essential set 
of security features such as access authentication, confidentiality, and privacy protection, 
for different services, access technologies, and devices. The basic features of these security 
services are similar to those in the legacy cellular networks. However, there are many new 
perspectives of these security features in 5G wireless networks. For example, security man- 
agement across heterogeneous access need to be flexible for all access technologies. Security 
management of IoT applications may need to deal with burst access behavior for efficient 
access authentication. 
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14.8 Summary 


In this chapter, current development, challenges, and future directions of 5G wireless 
network security are illustrated. 5G wireless network systems take a huge step forward 
comparing to the legacy LTE systems. The 5G systems will support many more use cases 
through 3GPP, non-3GPP, and new radio access technologies. Advanced technologies 
such as D2D communications, massive MIMO, and SDN will enhance both functions and 
security mechanism design in 5G systems. For example, PHY level security can be applied 
to user confidentiality as well as location anonymity; SDN supported VEPC can provide 
seamless handover between different access technologies. However, the new technologies 
also bring new challenges in security design. While regular 3GPP cellular users can rely 
on legacy LTE security, 5G security is still pending on advanced technologies such as D2D, 
non 3GPP, and new radio user cases. 


15 


Security in V2X Communications 


Vehicle-to-everything (V2X) communications have received great attentions in recent years 
as a key component of the Intelligent Transportation Systems (ITS) [172]. V2X commu- 
nications in general include four types of communications, i.e. vehicle-to-vehicle (V2V), 
vehicle-to-infrastructure (V2I), vehicle-to-network (V2N), and vehicle-to-pedestrian (V2P), 
as listed in Table 15.1. Vehicles and ITS entities will exchange information about traffic 
conditions, such as road construction, accidents and traffic jams, through V2X communica- 
tion messages. Such information exchange will greatly enhance road safety for drivers and 
autonomous vehicle control [173]. The shared information will also support first respon- 
ders in emergency. Other Internet based user applications such as routing and multimedia 
streaming will also benefit from the seamless vehicular networks. Similar to other wireless 
communication systems, a dedicated set of wireless network protocols is designed for vehic- 
ular connections within proximity. Besides, both the current LTE and the next generation 
cellular network technologies will support V2X communications. Due to the open nature 
and complexity of multiple wireless technologies in V2X communications, it is challenging 
to provide security protection for V2X communication networks. This chapter identifies 
some of the major challenges and possible solutions for security in V2X communications. 


15.1 Introduction to V2X Communications 


15.1.1 Generic System Architecture of V2X Communications 


Entities in transportation systems connect to each other through various V2X communica- 
tion techniques, as depicted in Figure 15.1. The communication capability of each vehicle is 
enabled through an on-board unit (OBU), which is also connected to the central computer 
of the vehicle for autonomous controlling. An OBU is usually paired with a tamper-proofed 
device (TPD) that stores credential information in securing communications. OBUs are 
required to send basic security related messages, such as real-time position, speed and 
steering information, every 300ms. Such information can be applied to safety control 
and traffic control [172]. Besides vehicles, V2X communications also include multiple 
types of fixed infrastructure, including a trust authority (TA), road side units (RSUs), and 
cellular base stations [174]. The TA manages the authentication and authorization of all 
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Table 15.1 V2X communication types. 


Type Description Scope and impact 

V2V Communications between vehicles US DoT estimated that 80% of 
within proximity unimpaired accidents can be avoided 

v2I Communications between vehicles and The future of V2I may lead to better 
road side units driver-assistance systems 

V2N Communications between vehicles and Good for infotainment and non-mission 
cellular network in licensed spectrum critical applications 

V2P Communications between vehicles and About 20% of road fatalities in US are 
pedestrians pedestrians 


Trusted 
authority, 


q 


Vehicle-to- 
pedestrian 


Figure 15.1 A generic architecture of V2X communications. 


entities in V2X communications. Before joining V2X communications, all entities must be 
registered to receive a certificate at the TA [175]. In V2X communications, the TA keeps 
the real identities and tracks the locations of legitimate entities. Another duty of the TA is 
to verify suspicious behaviors from vehicles in the communications. Suspicious behaviors 
are generally reported from an RSU or a cellular base station. Once the report is validated 
by the TA, the certificate of the malicious vehicle will be revoked. 


15.1.2 Dedicated Short Range Communications 


The wireless technologies in V2X communications are mostly based on either ded- 
icated short range communications (DSRC) or cellular technologies. In December 
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Figure 15.2 DSRC spectrum defined in the United States. 


2003, the Federal Communications Commission (FCC) published a Report and Order 
establishing licensing and service rules for DSRC Service in ITS Radio Service in the 
5.850-5.925 GHz band (also known as the 5.9GHz band) [176-178]. The 75 MHz DSRC 
spectrum is further divided into multiple channels, as shown in Figure 15.2. Chan- 
nel 172 is designated exclusively for V2V safety communications with high reliability 
and low latency for accident avoidance and mitigation, and safety of life and property 
applications. Channel 184 is designated exclusively for high-power, longer distance 
communications for public safety applications involving safety of life and property, 
including road intersection collision mitigation. Channel 178 is the control channel 
designated for broadcasting safety-related applications for vehicle safety traffic at all 
power levels. Channels 174, 176, 180, and 182 are service channels that can be used 
for both safety and non-safety communications. IEEE 802.11p standard is the basis for 
DSRC. As mentioned earlier, it uses channels of 10 MHz bandwidth in the 5.9 GHz band, 
half of which is used in IEEE 802.11a. While the DSRC is dedicated to V2X commu- 
nications with low latency, however, DSRC is for short and low capacity transmissions 
only. It cannot support V2X communications in high density scenarios, or in large 
scale [179, 180]. 


15.1.3 Cellular Based V2X Communications 


Cellular technologies, e.g. LTE and 5G, can provide larger communication coverage, lower 
deployment cost, and better network QoS guarantee compared with DSRC [181]. The 
3GPP has made specific standards for V2X services using LTE in Releases 14 and 15 [182]. 
In particular, LTE-V2X focuses on enhancing V2V and V2P communications that are 
based on the device-to-device (D2D) communications. As part of ProSe services, D2D has 
a designated interface PC5 (also known as sidelink) in the physical layer. The 5G wireless 
networks, as the successor to LTE, have taken into consideration the support for V2X com- 
munications. 5G can be a much more promising solution to real-time V2X services because 
of its enhanced Mobile Broadband (eMBB) with low latency compared with IEEE 802.11p 
and LTE. Moreover, the HetNet structure of the 5G wireless network can satisfy different 
V2X communication scenarios. Many organizations from the telecommunications indus- 
try and vehicle manufacturers have contributed to 5G-V2X, such as the 5G automotive 
association (SGAA) [183] and 5G Communication Automotive Research (SGCAR) and 
innovation [184]. Besides DSRC and cellular communication technologies, some other 
wireless communication technologies such as Bluetooth and satellite communications 
are also considered for particular V2X applications. For instance, LTE-V2X (or general 
cellular-V2X) applies global navigation satellite system (GNSS) as its primary source of time 
synchronization. 
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15.2 Security Requirements and Possible Attacks in V2X 
Communications 


Security and privacy are vital in V2X communications. However, due to the complex 
communication structures, high speed of vehicles, and low latency information exchange, 
it is challenging to secure V2X communications from possible attacks [185, 186]. This 
section briefly lists the security requirements, possible attacks, and an overview of the 
basic solutions. 


15.2.1 Security Requirements 


The primary security services in V2X communications include authentication of infor- 
mation, authorization of entities, privacy of users, and availability of systems [187, 188]. 
Table 15.2 briefly introduces the security requirements in V2X communications at the 
application level. As it shows, V2X security has two folds, one is to protect legitimate 
entities; and the other is to trace and block unauthorized entities. In LTE-V2X, the 3GPP 
recommends four specific security aspects [183]. First, each entity can authenticate 
and verify the received messages that were sent by an authorized entity. Second, data 
confidentiality and integrity should be guaranteed against various attacks. Third, only the 
fresh messages will be accepted so that the replay attack and DoS attack can be alleviated. 
Finally, the cryptographic algorithms should be light weighted and have high security level 
due to the stringent time requirement and the safety related property. 5G-V2X and other 
V2X technologies are expected to follow the standardization process from 3GPP. 


Table 15.2 Security requirements in V2X communications. 


Requirements Description 

Entity Each vehicle, RSU, eNodeB, application server, should be uniquely 
authentication identified and authenticated. 

Authorization V2xX services are only accessible to authorized entities. 

Message All messages should be authenticated by the transmitters; and receivers 
authentication can verify messages from authenticated entity. 

Confidentiality Required types of messages cannot be disclosed to unauthorized entities. 
Data integrity Modifications of V2X messages can be detected at the receiver side. 
Non-repudiation The TA can trace the real identity of a sender. 

Identity anonymity Anonymity: The real identity of a legitimate user cannot be disclosed to 


others except for the TA. 


Unlinkability: no clear relation can be found between a real identity and 
its corresponding pseudonyms; no clear relation can be found among 
multiple pseudonyms used by the same vehicle. 


Location anonymity || Real location of an entity cannot be exposed to unauthorized entities. 


Availability Access to vehicular network should be granted for all legitimate entities. 


Conditional The real identities of malicious (and/or unauthorized) users can be 
traceability easily traced by the TA. 


15.2 Security Requirements and Possible Attacks in V2X Communications 


15.2.2 Attacks in V2X Communications 


Table 15.3 lists a brief summary of possible attacks in V2X communications. V2X com- 
munications are vulnerable to various types of attacks due to open-medium wireless 
transmission as well as the mixture of multiple transmission technologies. Typical attacks 
in wireless transmission such as eavesdropping, MITM attack, timing, and relay can threat 
V2X communications. In the meantime, some enhanced features in V2X communications, 
while providing better services to users, also introduce more vulnerabilities. For example, 
compared with other short-range wireless technologies such as Wi-Fi, Bluetooth, etc., 
possible attacks on V2X (especially V2V) target more on the privacy of users. Therefore, it 
is straightforward to provide pseudonym to authorized users for identity privacy. Nonethe- 
less, malicious users may take advantage of such feature and disguise their identities and 


locations. 


Table 15.3. Attacks in V2X communications. 


Attacks Description Targeting 
Black hole Attackers drop all or selective messages without Availability 
Grey hole forwarding to targeted entities. 
Bogus message An attacker from outside or inside of a V2X system Authorization 
broadcasts fake/junk messages for benefits. Authenticity 
Coalition and A group of attackers within in proximity collaborate Availability 
platooning on malicious purposes. 
DoS/DDoS Attackers tend to deplete the network resources of Availability 
V2xX systems by injecting large volumes of messages. 
Eavesdropping An attacker taps into legitimate V2X communication Confidentiality 
links and collects information passively. Privacy 
Infrastructure An attacker spoofs the IP address of a RSU, eNodeB, Authorization 
spoofing or Application Server and attacks. Availability 
Location Attackers track the locations of legitimate vehicles Privacy 
tracking by monitoring and analyzing V2X communications. 
Masquerade Attacker filches the identities of legitimate vehicles Authenticity 
and sends messages on behalf. Privacy 
Message Attackers modifies an original message through Authenticity 
modification deleting, adding to, changing, or reorganizing. Integrity 
MITM An attacker impersonates as legitimate user to both Availability 
sides in V2X communications. Authenticity 
Integrity 
Replay A malicious vehicle maliciously or fraudulently Availability 
transmits repeated messages. Authenticity 
Selfish Some V2X entities may refuse to cooperate with Availability 
others to relay messages. 
Sybil An attacker joins a V2X system with multiple real Authenticity 
and fake identities to misguide legitimate vehicles. authorization 
Timing A malicious vehicle delays message delivery process. Availability 
Authenticity 


Integrity 


315 


316 


15 Security in V2X Communications 


15.2.3 Basic Solutions 


Basic solutions to possible attacks in V2X communications are mainly cryptographic, 
trust based, and privacy oriented schemes. One or multiple schemes may target on 
a particular attack, as shown in Figure 15.3. Cryptographic schemes mainly protect 
confidentiality and message authentication from corresponding attacks. Cryptographic 
schemes are also the foundations in entity authentication protocols. However, crypto- 
graphic schemes alone may not be effective to some attacks in V2X communications, 
such as DoS/DDoS and black/gray hole. Trust based schemes introduce trust levels, e.g. 
by setting reputation scores, to evaluate the trustworthiness of users [189]. An attacker 
can be detected by checking its reputation score. Nonetheless, trust based schemes are 
usually incorporated with cryptographic schemes, e.g. public key infrastructure and 
certificates, for sender authentication and reputation score validation. Privacy oriented 
schemes protects user identity anonymity and location anonymity in V2X communi- 
cations. Pseudonyms are normally applied to V2X communications for user identity 
anonymity. However, pseudonym may not hide the location for users, because a user 
entity can be tracked based on safety messages, such as speed, direction, previous location, 
etc. Moreover, V2X communications must provide robust revocation schemes to support 
frequent incoming/outgoing users. Most of revocation schemes are cryptographic and/or 
trust based. 


15.3 IEEE WAVE Security Services for Applications 
and Management Messages 


IEEE Standard 1609.2 defines security services for applications and management for Wire- 
less Access in Vehicular Environments (WAVE) [190]. 


15.3.1 Overview of the WAVE Protocol Stack and Security Services 


WAVE provides a communication protocol stack with two types of security services that 
employ both customized and general-purpose elements to be applied to V2X communi- 
cation systems. An overview of WAVE protocol stack and security services are shown in 
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Figure 15.3 Attacks and solutions. 
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Figure 15.4 WAVE protocol stack security services. 


Figure 15.4. WAVE Short Message Protocol (WSMP) supports both IP and non-IP data 
transfers. WAVE medium access control (MAC) is a collection of extensions to the IEEE 
802.11 MAC [191]. The WAVE management entity defines the corresponding network 
services [192]. The Service Access Points (SAPs) are defined to support communications 
between WAVE security services and other entities. 

The WAVE Security Services consist of internal security services and higher layer security 
services. The security services and corresponding functions are listed in Table 15.4. The 
secure data service (SDS) transforms the original protocol data units (PDUs) into secured 
protocol data units (SPDUs). SDS also transforms SPDUs to PDUs on reception. SDS 
is provided through a Secure Data Exchange Entity (SDEE). Security management is 
the service that manages certificates. The Certificate Revocation List (CRL) verification 
entity validates incoming CRLs and passes the related revocation information to the 
Security Service Management Entity (SSME) for storage. The Peer-to-Peer (P2P) certificate 
distribution entity enables P2P certificate distribution. 


Table 15.4 WAVE security services. 


WAVE internal security services 


Secure data service Transforming unsecured PDUs into SPDUs 


Security management Managing information about certificates 


WAVE higher layer security services 


CRL verification entity Validates CRLs and passes the revocation information 


P2P certificate distribution entity Enables peer-to-peer certificate distribution 
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15.3.2 Secure Data Service and Security Service Management Entity 


Figure 15.5 shows the processing flow for use of WAVE SDS. The sending SDEE invokes 
a sender security processing request, whose result is an SPDU from the SDS. The sender 
security processing request may be invoked multiple times prior to transmission of an 
SPDU. A similar process is operated at the receiver side to transform the SPDU into a 
PDU. SPDUs may be unsecured, signed, and encrypted. An unsecured SPDU provides a 
trivial implementation if no cryptographic protection is needed. A signed SPDU provides 
sender authenticity, sender authorization, message integrity, and non-repudiation to the 
contents. An encrypted SPDU provides confidentiality to the contents. Multiple layers 
of cryptographic protection can be provided to SPDUs, e.g. signed and then encrypted. 
An SPDU may contain another SPDU of the same or different type. 

The SSME mainly stores certificates and the information that relates to both certificates 
for which the corresponding private key is stored by the SDS and certificates for which the 
corresponding private key is not stored by the SDS. In particular, the related information 
consists of: the last time relevant revocation information was received; the next time revo- 
cation information is expected to be received; the verification status of the certificate; and 
whether or not the certificate is a trust anchor. The SSME has two Service Access Points 
(SAPs), i.e. the Sec-SAP and the SSME-SAP. The Sec-SAP is used by higher layer entities 
and by the WAVE management entity. The SSME-SAP is used by certain SDS operations, 
e.g. invoking certain primitives. The functions of the two SSME SAPs are listed in Table 15.5. 


Sending secure data Secure data Secure data Receiving secure 
exchange entity service service data exchange entity 


Sender security processing request 
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Sender security processing result 
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Data transfer 
pf 
Receiver security processing request 
i¢ 
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Figure 15.5 Processing flow for use of WAVE SDS. 


Table 15.5 Functions of Sec-SAP and SSME-SAP. 


SAP Functions 


Sec-SAP Add information about certificates; 

Provide information about managed certificates; 

Request that a certificate is verified; 

Request deletion of information about a certificate; 

Add a certificate to its list of trust anchors; 

Update revocation information for a certificate; 

Update information about CRLs relevant to managed certificates; 
Provide information about CRLs relevant to managed certificates; 
Enable application processes associated with P2P certificate distribution; 


SSME-SAP || Provide information about replayed PDUs; 
Provide information to enable P2P certificate distribution; 
Enable configuration of P2P certificate distribution 
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15.3.3 CRL Verification Entity and P2P Certificate Distribution Entity 


WAVE defines entity revocation by recording CRL and verification through CRL verifica- 
tion entity. A certificate is to be revoked if an appropriately authorized entity states that 
the certificate is no longer trustworthy. Once revoked, all SPDUs signed by that certificate 
after the issue date of the revocation statement are invalid. Information about the revoked 
certificates is stored in CRLs by the SSME and processed by the CRL verification entity. 
An overview of the CRL verification entity processing flows is shown in Figure 15.6. The 
CRL verification entity shall verify a received CRL from the data plane. If the CRL is valid, 
multiple revocation requests may be invoked by the CRL verification entity to the SSME. 
At least one confirmation shall be received at the CRL verification entity. Moreover, the 
CRL verification entity shall pass the revocation information contained in the CRL to the 
SDEE for storage. 

The P2P certificate distribution (P2PCD) is a functionality obtained by the cooperation 
of the P2PCD entity, the SSME, the SDS, and an appropriately behaving SDEE referred to 
as the trigger SDEE. The functional entities on a device that support P2PCD are illustrated 
in Figure 15.7. P2PCD is initiated when a device receives a signed SPDU for which WAVE 
Security Services are unable to construct a certificate chain due to not recognizing the issuer 
of the signed SPDU. The received SPDU is referred to as a trigger SPDU. The device that 
received the trigger SPDU uses P2PCD learning requests to request peer devices to provide 
the necessary certificates to complete the chain. A P2PCD learning request is a field that 
the SDS inserts into SPDUs when signing them on behalf of the SDEE that received the 


CRL verification SSME Secure data Data plane 
entity service 
T T 


Certificate revocation list 


Signed data verification request 


Signed data verification confirmation 


Sender security processing result 
Revocation request/s 


Revocation confirmation/s 


Figure 15.6 Processing flows of the CRL verification entity. 
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Table 15.6 Description of the functional entities in P2P certificate distribution. 


Entity Functions 
P2PCD entity Send and receive P2PCD learning responses over the data plane; 
Request the SSME to store the contents of received learning responses; 
Trigger SDEE Send and/or receive signed SPDUs; 
Data plane Exchange PDUs between instances of the P2PCD entity and between the 
instances of the trigger SDEE. 
SDS Determine if P2PCD needs to be triggered; 
Determine whether to include P2PCD learning requests in SPDUs; 
SMEE Provide information about incoming SPDUs to the SDS; 
Request the SDS to include P2PCD learning requests in SPDUs; 
Store certificates received via P2PCD learning response PDUs; 
Register and request the P2PCD entity to send P2PCD learning responses; 
original SPDU. P2PCD learning responses are sent as PDUs by the P2PCD Entity to P2PCD 


Entities on peer devices. The design of the P2PCD service includes special mechanisms to 
reduce the risk of channel flooding by limiting the number of responses to a single request. 
Descriptions of each functional entity are given in Table 15.6. 


15.4 Security in Cellular Based V2X Communications 


Cellular based V2X communications are mostly based on LTE and future 5G wireless net- 
works. The current LTE provides security to general mobile communications, thus it can 
be directly applied to LTE based V2I communications. However, cellular based V2V and 
V2P communications require special attentions. This section gives a brief introduction to 
the security frameworks on LTE-V2X and 5G-V2X. 


15.4.1 LTE-V2X Communication Security 


The 3GPP defined LTE-V2X architecture is mainly based on PC5 and LTE-Uu communica- 
tion techniques, as shown Figure 15.8. User equipment (UE) defines access nodes such as 
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Figure 15.8 Security architecture for PC5 and LTE-Uu based V2X communications. 
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vehicles and pedestrians in LTE-V2X. The LTE-Uu supports V2I communications through 
3GPP core network (e.g. E-UTRAN in LTE), where the traditional LTE security can be 
applied. UE in V2V and V2P is connected to the V2X control function (VCF), which passing 
corresponding security parameters to UE. The authentication and authorization of UE 
are actually controlled by the home subscribe server (HSS). The temporary identities and 
credentials of UE are distributed by the temporary identities management function (TIMF) 
through the V2X key management server (KMS) and the V2X certificate authority (CA). 

LTE-V2X introduced three fundamental modifications to PC5 for vehicular use cases 
addressing high speed (up to 500 km/h) and high density (thousands of nodes). Firstly, 
the sub-frame structure has been modified to include four demodulation reference signal 
(DMRS) symbols, as illustrated in Figure 15.9a. In addition, a Tx-Rx turnaround symbol 
is set to the end of the sub-frame structure. The DMRS and the turnaround symbols are 
included for better tracking of the channel at high speed of up to 500km/h and at the 
5.9 GHz ITS band. Secondly, a new arrangement of scheduling assignment (SA) and data 
resources has been designed, as illustrated in Figure 15.9b. In the new design, SA or 
physical sidelink control channel (PSCCH) are transmitted in sub-channels using specific 
resource blocks (RBs) across time. Data transmission associated with the scheduling 
assignments is occupying adjacent RBs in the same subframe. This new design is to 
enhance the system level performance while meeting the requirements of high density 
and low latency of V2V communications. Meanwhile, another variant where scheduling 
assignments and associated data transmission are on nonadjacent RBs has also been 
standardized. Finally, a sensing with semi-persistent transmission based mechanism 
has been introduced for distributed scheduling. The basic idea is to estimate future 
congestion on a resource where congestion has been sensed. Because V2V communication 
traffic from a device is mostly periodic in nature, the estimation technique can optimize 
channel usage by enhancing resource separation between transmitters that are using 
overlapping resources. The design is scalable for different bandwidths including 10 MHz 
bandwidth. 


(a) 
o|} 1 Mem 3 | 4 By 6 | 7 fy 9 | 10 me 12 | 13 


Tx-Rx turnaround; 


Reference signal Downlink timing adjustment 


(b) 


PSCCH | Scheduling assignments & Data resources 


Data only resources 


DATAO | Scheduling assignments & Data resources PSCCH 


Data only resources DATA 1 


Scheduling assignments & Data resources 


Figure 15.9 Fundamental modifications to PC5. (a) V2X sub-frame for PC5 interface. 
(b) New scheduling assignment and data resources. 
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The current LTE Authentication and Key Agreement (LTE-AKA) protocol can be applied 
to mutually authenticate a UE supplicant and the serving network before a UE joins a 
V2X communication [193]. User pseudonym assignment and air interface confidentiality 
can be inherited from LTE-AKA protocol for LTE-Uu communications. However, no 
additional privacy features beyond the regular LTE privacy features are supported for 
LTE-Uu communications. The 3GPP does not define security nor mandate privacy features 
for LTE-PC5 communications. If privacy is applied in LTE-PC5 communications, the UE 
shall change and randomize the source ID and IP address when the application layer 
identifier has changed. It is recommended to address privacy at the application layer 
by employing identifiers and credentials that are not linked to long-term UE or user 
identifiers. 


15.4.2 5G-V2X Communication Security 


The 5G-V2X system level architecture supports multiple operations necessary for the 
efficient deployment and automation of network functions of V2X communications, 
including multiple operators, security and privacy, smart zoning, dynamic use of multiple 
Radio Access Technology (RAT) and multi-links, as shown in Figure 15.10. Software 
Defined Networking (SDN) and Network Function Virtualization (NFV) technologies 
allow optimal resource allocations for most V2X use cases. Besides, it would be intuitive to 
integrate different wireless access technologies through the 5G framework because of the 
enhanced support to both 3GPP and non 3GPP accesses. 

Two different solutions are proposed for 5G-V2X security and integrity check of vehicular 
messages. One is by applying the security checks at the application layer in the UE for a 
distributed manner. The other is to exploit the presence of the 5G-V2X network for robust 
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Figure 15.10 5G-V2X system Level architecture. 
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Figure 15.11 A security architecture for 5G-V2X 


security. Figure 15.11 shows an overall security architecture for 5G-V2X [194]. Since the 
wireless communications of 5G-V2X network mainly inherits the design of LTE-V2X, 
security over the sidelink (i.e. PC5 or 802.11p) and LTE-Uu communications would be 
inherited from those of LTE-V2X. Nonetheless, the HetNet architecture, SDN and NFV 
technologies in 5G will greatly enhance the network performance. 


15.5 Cryptography and Privacy Preservation in V2X 
Communications 


Cryptographic schemes provide multiple security services in wireless communications. 
Examples of solutions have been introduced in the earlier chapters. Traditionally, 
symmetric key cryptography provides efficient encryption and message integrity. Pub- 
lic key cryptography provides non repudiation and key distributions. Cryptographic 
schemes also support authentication protocols and authorizations. However, typical 
public key infrastructure supported key distribution and certificate systems may not 
work for V2X communications due to high density of users and low latency requirement. 
This section focuses on the recent schemes targeting scalability and privacy in V2X 
communications. 


15.5.1 Identity Based Schemes 


Identity based schemes intend to simplify the public key generation and distribution so that 
to support large scale systems. In short, identity based schemes allow each user to gener- 
ate public keys of any users with their corresponding IDs. Figure 15.12 shows an overview 
of how identity based schemes can be applied to V2X communications. During the initial- 
ization process, each vehicle registers at the TA with real ID (RID) and receives the secret 
key and other parameters needed to execute identity based schemes. Since the public keys 
are generated in a distributed fashion, a group head or the RSU is not needed in the pro- 
cess. Nonetheless, the RSU (or a central controller) is needed to detect and report abnormal 
behaviors from malicious vehicles to the TA. 
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Figure 15.12 A general architecture of identity based schemes. 


Introduction to bilinear pairing é: G, x G, — G, 


e Preliminaries: G, and G, are cyclic additive groups of prime order q, and G, a cyclic 
multiplicative group of prime order q. In most assumptions, G, = G, =G. 
e Bilinearity: for all P, Q,R € G, and non-zero integers a, b. 
€(Q, P+ R) = &(P +R, Q) = &(P, Q) - ER, Q), 
é(aP, bP) = é(P, bQ)* = e(aP, Q)” - &P, Q)”. 
e Non-degeneracy: there exist P,Q € G such that é(P, Q) # 1, 
e Computability: there is an efficient algorithm to compute é(P, Q) for any P,Q € G. 


An example in the following text provides an idea of how identity based schemes can 
work to provide digital signatures based on bilinear pairing [195-197]. In this example, the 
domain parameters can be set to: 


(é,q, G, g,H,, Hp, Pu), 


where éis a bilinear pairing (as shown in the box earlier) based on q, G, G;, g;H, : {0,1}* > 
Z, and H, : {0,1}* > Gare two cryptographic hash functions; Pu = sg € G is the domain 
public key (also the public key of the TA) and s € Z; is the master secret of the TA. The 
secret key of user i is set to Pr, = sH,(H,(RID)) € G by the TA. With the domain secret, a 
vehicle user i can derive the pseudonym locally as follows: 


VID, = H,(RID,) € G. (15.1) 
The public key of user i is derived based on VID as follows: 


Pu, = H,(VID). (15.2) 
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Note that Pu; can be derived locally at any user who bears VID,. Therefore, identity based 
schemes can greatly enhance the performance of public key distribution in large scale V2X 
systems. 

To sign a message M, user i first picks a random number r € Z; to compute v = rg € G. 
The partial signature is generated as follows: 


o, = (g, H,(M)Pr; + rPu). (15.3) 


The overall signature includes (o,, v). 
To verify a signature, the receiver applies both the domain public key Pu and the sender 
Pu, and check if: 


é(Pu, H,(M)Pu, + v) = o;. (15.4) 
The verification works because 
é(Pu, H,(M)Pu; + v) = é(sg, H,(M)Pu, + rg) = é(g, H,(M)sPu, + rsg). 


Due to the relatively high complexity, identity based schemes are mostly applied to signa- 
tures and certificates rather than encryption. 


15.5.2 Group Signature Based Schemes 


Group signature provides a solution for efficient processing of digital signatures within 
a large group by enabling every member in a V2X network to sign messages anony- 
mously [198]. Therefore, group signature can greatly reduce the complexity in generating 
and distributing public keys. A typical group signature based scheme is shown in 
Figure 15.13. 

Each vehicle is required to register at the TA with their RIDs during the initialization 
process. The vehicle also receives the system parameters and a valid vehicle ID (VID). 
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Figure 15.13 A general architecture of group signature based schemes. 
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System parameters are domain secret generated by the TA for further group signature 
cryptography. Developing group signature schemes is mostly based on bilinear paring tech- 
niques. To join a group, the VID of the applicant needs to be checked if it is on the latest CRL. 
If the VID is on the latest CRL, the access will not be granted. Meanwhile, the group head 
will report the VID to the TA, as well as generate a new group public key (GPK) and new 
secret keys for all legitimate vehicles. If an access is granted, the group head derives a pri- 
vate key for the requester and sent it through a secured channel. Practical group signature 
schemes can be implemented based on RSA, discrete logarithm, elliptic curve, and bilinear 
paring [199-202]. Group signature based V2X systems require properly distributed RSUs 
and trusted group head. Otherwise, the overhead of CRL update may overwhelm the RSUs. 


15.5.3. Batch Verification Schemes 


Batch verification is a method that can verify multiple signatures from different users in 
a batched fashion. Thus, batch verification schemes can be efficient in large scale V2X 
communications [203, 204]. Identity based cryptography is usually combined to achieve 
batch verification [203, 204]. In this process, a pseudo ID is used instead of the RID of a 
vehicle. Given the distributed nature, it can be assumed to generate pseudo IDs from the 
TPD of each vehicle. An example of the modules and functions in a TPD is illustrated in 
Figure 15.14. The authentication module first verifies the pair of RID and password (PWD). 
If valid, the pseudo ID generation module generates the pseudo ID pair (ID,, ID,). The pri- 
vate key generation module generates the private key pair (Pr,, Pr,). The process is based 
on a bilinear pairing é that has been introduced before. In the generation of (ID,,ID,), r 
is a random number, g is the generator of G, and Pu, is one of the public keys of the TA. 
In the generation of (Pr,, Pr,), Ss; and s, are the secret key pair of the TA, and H(-) is a 
MapToPoint hash function [205]. Note that the TA has a pair of public keys, i.e. Pu, = s,g 
and Pu, = sg. 
Given a message M, a signature is computed as follows: 


o = Pr, + h(M) - Pr, (15.5) 


where h(-) is a one-way hash function. A single signature is verified as follows: 


&(0,,2) = E(ID,, Pu,) - &h(M))HUD, ||ID,, Pu,). (15.6) 
Tamper-proof device 

Authentication Pseudo ID generation| |Private key generation ID, 
module module module 

BID ID, = 1.4 Pr, =S, .ID —> ve 
=f, i= a 

PWD 1a Pg Teese aes Pr, 

Verify RID and PWD 
ID) = RID ®(r.Pu,)|| |)P?2 = S2- HUD IID) Pm4 


Figure 15.14 Modules and functions in a TPD. 
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Given a batch of signatures generated from messages (M,, M,,...,M,,), the batch verifi- 
cation follows: 


é (Zee) =é (dw : Pu.) ‘e (Spoon) \|ID'), Pu.) ‘ (15.7) 
i=1 i=1 


i=1 


where ID} and ID} are corresponding to M,. 


15.5.4 Reputation and Trust Based Schemes 


Reputation and trust management is used to complement cryptography based schemes 
against some attacks, e.g. DoS and black hole attacks. In general, reputation and trust based 
schemes check the trustworthiness of an entity based on a reputation score, which is gen- 
erated based on the feedback from other users. One of the first reputation systems for 
vehicular networks applies a modular approach that strictly separates direct reputation 
handling, indirect reputation handling, and opinion generation [206]. The description of 
terms direct trust, indirect trust, opinion, and confidence are given in Table 15.7. 

Every forwarding node evaluates on the trustworthiness of the message and appends the 
opinion to the message. The developers named the process Opinion Piggybacking, as shown 
Figure 15.15. An opinion O, consists of an opinion value o,, a source based reputation level 
s, and the ID of the evaluator. The opinion value 0; is computed from partial opinions 0; , 
from sender node k as follows: 


01, = TO, + Cmax — 1) max — Ve): (15.8) 


where r;, is the direct or indirect reputation value of source node k, r,,,, is the global 
maximum reputation value. The source based reputation level s = 1 ifr, is direct, s = 2 
if r, is indirect, and s = 3 if r, is not stored locally. Moreover, if s = 3, then 0,, = 0,. The 


Table 15.7 Description of the functional entities in certificate distribution. 


Term Description 


Direct trust Reputation derived from an announced event can be verified 


Indirect trust || Reputation provided by nodes of which reputation information is known 


Opinion Evaluation on the trustworthiness of a message 
Confidence Decision result based on the trust-opinions and reputation levels 
Opinion O, cen 
= M0; |O2 
l > 


Sender Forwarding Forwarding 


Figure 15.15 Illustration of opinion piggybacking. 
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forwarding node opinion 0, is a combination computed as follows: 


k k k 

gay eye eye (15.9) 

0 (i) 0 

keo, 1 keo, 2 keo, 3 

where 0, is the set of all combined opinions with sender based reputation level s. The 

weights a, #, and y are constants set according to system requirements, anda+f+y=1. 
A confidence decision is made by evaluating all messages related to the distinct event as 

follows: 


f =|M|- a -*| j (15.10) 
a, 

where M is the set of messages announcing a confidence decision event, |M| is the 

number of the message, a, is a constant factor of the reputation values, k > 0 is a threshold 

of minimum messages required to announce an event, and 7 is the final reputation 

computed similar to Eq. (15.9). It will be in the system discretion to decide if the event is 

prevalent. 


15.5.5 Identity Anonymity Preservation 


Identity anonymity includes conditional anonymity and unlinkability. The conditional 
anonymity requires that the real identity of a user cannot be disclosed to others except for 
the TA. The unlinkability requires that (i) no clear relation can be found between a real 
identity and its corresponding pseudonyms, and (ii) no clear relation can be found among 
multiple pseudonyms used by the same vehicle. The identity based schemes and the group 
signature based schemes described earlier have all taken into consideration the identity 
anonymity in their designs. Nonetheless, they take different approaches. In identity based 
schemes, pseudonyms are used to conceal the real identity and frequently changed to 
prevent tracking. Those pseudonyms are generated with some random value to provide 
unlinkability. In group based schemes, each legitimate group member acquires its group 
private key from the group head to sign messages anonymously. No regular group member 
can identify the real sender of a signature thus to provide anonymity within a group. 
Then sender is still traceable by the TA thus malicious users can be identified if abnormal 
activities are detected. In some cases, e.g. LTE-V2X, the TA or an RSU is responsible for 
generating pseudonyms. In some other cases, pseudonyms are generated locally so that 
they can be updated frequently in large scale mobile V2X communications [204, 207]. 


15.5.6 Location Anonymity Preservation 


Location anonymity of a user in V2X communications can be endangered in two ways. One 
is by tracking the frequent update of pseudonyms and directly targeting the applications 
of location based services. While a pseudonym hides the identity of a vehicle, it is still 
linked to the broadcasting safety information, e.g. speed, traveling direction, previous 
location, etc. If the pseudonym updates can be tracked and linked to the same vehicle, 
the corresponding may be revealed to an attacker. To overcome this issue, one possible 
solution is updating pseudonym at a moment that the safety information of all vehicles 


15.6 Challenges and Future Research Directions 


appears indistinguishable [208, 209]. For example, the safety information for vehicles 
would be close to each other when the traffic light turns from red to green at a crossroad. A 
similar situation can be found at a parking lot, where vehicles frequently enter and leave. 
Whether waiting on traffic lights or parking, vehicles are in a relatively static mode, thus 
pseudonyms change would not be easily linked to any particular vehicle. The solution 
may be extended to semi-static situations. For example, vehicles platooning on a highway 
roughly share the same safety information. Those vehicles can form a group and update 
their pseudonyms based on a synchronized clock or counter. 

In comparison, applications that require location based services can be more vulnerable 
as the location information is directly exchanged between a user and a service provider 
through V2X wireless communication links. Moreover, the server that handles location 
requests may be an untrusted entity and poses threats to user location anonymity. One way 
to tackle this issue is to use ambiguity to obfuscate the real location. For example, based 
on k-anonymity based schemes [210, 211], a user carefully picks k — 1 dummy locations in 
its vicinity area and send all k locations (including the real location) in any request. The 
real location will be indistinguishable among the k dummy locations from the view of an 
attacker. Another way to protect location anonymity if location based service is to restrict 
the number of requests so that an attacker cannot get enough information to fetch the 
exact location. For example, a cache server can be deployed to store common and frequent 
requests [212]. A user can request the cache server first to see if the requested service can 
be satisfied based on its real location. If so, location information will not be needed in the 
request. Otherwise, the dummy location based schemes can be applied for further request. 

However, the drawback of location anonymity could be unsatisfied services due to inaccu- 
rate location information for the service provider. Moreover, dummy information process- 
ing increases the overhead in both communications and computations, as well as additional 
hardware support for cache servers. 


15.6 Challenges and Future Research Directions 


V2X communications are still under development. Therefore, many challenges and open 
issues still need to be solved. This section briefly highlights some of the major challenges 
and future research directions towards secure V2X communications. 


15.6.1 Highly Efficient Authentication Schemes 


V2X communications are pending highly efficient authentication schemes. Both the DSRC 
and IEEE 1609.2 Standard require vehicles to send safety related message at every 300 ms 
interval [177, 190]. Given the dynamic environment of vehicles in V2X communications, 
authentication and authorization must be processed highly efficient at access points 
(e.g. RSU and base stations) and/or locally by each vehicle in a distributed manner. In 
Section 15.5, the group signature and batch processing based schemes show the potential 
in performance improvement of authentication in V2X communications. However, while 
those schemes have good performance processing legitimate information, they fall short 
on the recovery process when verification results turn invalid. Therefore, future efforts are 
still needed for the enhancement. 
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15.6.2 Efficient Revocation Mechanisms 


The IEEE WAVE standard and many recent schemes demand revocation mechanism for 
frequent authentication and handover of vehicles in V2X communications. While the 
basic ideas of revocation are clarified, the efficiency of the revocation schemes remains 
underdeveloped. For example, the application of CRL defined in the IEEE WAVE standard 
requires one-by-one processing, thus being inefficient in handling a large group of vehicles 
at high speed. Furthermore, management of CRL also needs enhancement for scalability 
of V2X communications and traceability from authorized users. 


15.6.3 Advancing OBU and TPD Technologies 


The core components of a vehicle in V2X communications are the OBU and TPD. Although 
research designs may focus on lightweight schemes that can be applied to the less powerful 
OBU and TPD [213], most of the developing schemes assume advanced communication 
capability of OBU and security capability of TPD. Therefore, OBU and TPD technology must 
be advanced to support the developing wireless technologies and cryptographic schemes. 
It is reasonable to assume that an OBU would be comparable (if not more advanced) to 
a smart phone or a computer in terms of communication capability to fully support V2X 
communications. However, TPD technologies are falling behind those have been applied 
to smart phones and computers. 


15.6.4 Advancing Cryptography and Privacy Preservation Schemes 


The cryptography and privacy preservation schemes in the regular LTE systems lay a 
foundation for V2X communications, especially in V2I communications. However, 
V2V and V2P communications that rely on sidelink of LTE and 5G, as well as other 
wireless technologies do not have default implementation of cryptography and privacy 
preservation schemes. On the positive side, new schemes are being developed, such as 
identity-based schemes, trust based schemes, etc., to mainly handle V2V communications. 
New schemes are also being developed for identity anonymity and location anonymity in 
V2X communications. 


15.6.5 Advancing Solutions to HetNet, SDN, and NFV 


Rather than being a standalone system, V2X is more likely being an integration of the 
Internet-of-things and other network applications, which are also supported by the 5G 
and beyond wireless networks. The 5G will implement HetNet, SDN, and NFV to achieve 
ultra-low latency and optimal resource management. Security design in 5G-V2X must 
take into consideration the new network structure and take advantage of the flexibility in 
resource management for optimality. 


15.6.6 Advancing Artificial Intelligence in V2X Communication Security 


Artificial intelligence (AI) will play an important role in V2X applications, e.g. for safety 
alert, autonomous driving, traffic monitoring, etc. [214]. AI schemes are also effective 


15.7 Summary 


in security, especially in intrusion detection and attack identification [215, 216]. The AI 
designs need to be refined for better efficiency and scalability of V2X communications. 


15.7 Summary 


Vv2X communications facilitate the ITS deployment towards safety and autonomous con- 
trol. Wireless technologies such as DSRC, LTE, and 5G will be applied to enable V2X com- 
munications in different applications. Security and privacy must be addressed to integrate 
the variety of wireless technologies and meet special requirements for V2X communica- 
tions. Standards such as IEEE WAVE and LTE-V2xX set a general guideline for V2X security 
implementations. New cryptography schemes such as group signature and trusted based 
schemes are being developed. There are still challenges to be addressed for security in V2X 
communications, including efficient schemes, hardware enhancement, integration of AI 
algorithms, and some other issues. 
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